23542300x8000000000000000391905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:21.883{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519662C150CF23C04FC62D8B9399F9DE,SHA256=AD0951BB768FE9B5561F69BCCE6C4C9380CF0A0B7DE99ABA059E72EEA2287F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:21.868{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8400C541B577B9053F137345121F87D0,SHA256=B15D16AD2216239374A776B3893C1A29427C60D72296E5FC8375AD8596D21934,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000838281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:30:21.854{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\1DB41A76-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_1DB41A76-0000-0000-0000-100000000000.XML 13241300x8000000000000000838280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:30:21.854{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77\Config SourceDWORD (0x00000001) 13241300x8000000000000000838279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:30:21.854{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77.XML 10341000x8000000000000000838278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.839{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.839{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.436{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.434{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.431{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.429{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.428{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.426{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.426{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 23542300x8000000000000000838269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.221{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECA1E430C7C200909DEEF84473404D7,SHA256=25C9C1EBC18AA3E1B075ADFB5542B22121CA5A39BD51BEFC62F81265F481443A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:22.973{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE719F07A022A113F4D93E02DC723F9,SHA256=C248B2F5A2626A55249082BDA9F7AF6C28E8E4735E2A60EF6C6BBED0F7DC36DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.690{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.690{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.690{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.343{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-058MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.292{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB521CE2BCE422D0FE24E3A7EBFC25ED,SHA256=6C67AEF2EEB07CCE5A7D27F3D3FC5E893ED2808E5DDA0EA3B87AC9F570F6E757,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000391906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:20.022{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50423-false10.0.1.12-8000- 23542300x8000000000000000838296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.738{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61C7B1B976171869DCCBD51A194116D8,SHA256=AD4A441D323A5B54C2E99CA8E695871861B44D8699C53B0E45DC84ABA0F8ECB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.707{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.707{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000838293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.282{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54010-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 354300x8000000000000000838292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.282{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54010-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 10341000x8000000000000000838291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.542{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.542{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.542{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.386{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6729F8C48348F5DFFB489A102EDC5EB5,SHA256=6F0FF7E93C2CDA32F7FE7895A5595BE530532E20697AB2AB86B7A44C9DF9FB7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.347{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-059MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000391936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.706{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.699{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.696{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.694{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.693{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.690{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.689{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.687{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.684{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.679{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.677{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.673{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.670{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.658{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.649{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.646{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.625{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.616{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.600{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.585{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.572{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.525{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.516{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.509{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.499{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.490{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.480{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.471{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.468{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 354300x8000000000000000838301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.131{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54011-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.131{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54011-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.302{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:88c1:e4d5:88aa:ffff-53831-truee000:fc:47c7:6689:5d3:4ebe:ff48:8b05-5355llmnr 354300x8000000000000000838298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.302{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local53831-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x8000000000000000838297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:24.486{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B24DBABE2BC69E2E5583E200B9C8762,SHA256=A7FB0FB4C7577E5F844BFCC58F81C748E93F6EF058EA65F3400F57E7D79D4BCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:24.234{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD5DA8703584F422CBC08073BB11CAD,SHA256=3E51B6FA853B93DEA59132CDF63E72B0540A52832211CEF797FB04EC098F42B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.984{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54012-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.984{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54012-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 23542300x8000000000000000838302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:25.582{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D50CE8A2F6C058AA8DE5DDA41910059,SHA256=08D092F21D1A56E238AF52DCBDA067F5A6346D0EECF7A74B40A703D4A6210A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:25.357{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72CAECCE6065A147055881EC02E0848,SHA256=F3EE3F53830DF6FF3871816C03FAE21D7CCD58943808FEA2409DC838101755DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:24.572{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54013-false10.0.1.12-8000- 23542300x8000000000000000838305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:26.680{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB00AA6F326984116E6D2E368A1894EE,SHA256=6AE5788C2EC42DC974213C726A76F3746994FD6EDEA7116748EF09914E358EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:26.448{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9380957F660C2156B598FD5B2EAC6EA4,SHA256=37DF63FEB9000B42BD6693F6605F8E2B422928FB14B7ECF3F933356345CA2BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:27.768{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D965E96E597FF67CDBF0F28E567B44,SHA256=630A9B2AC2B4926B4C609EB74ED3088BFE9E954E70B6088FDC5793CA2268CDE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:27.536{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE7BBA0432B3F0C032684C6DCF3E557,SHA256=D92A257E64A1E7783A58EBFAD2ADDDD1CD8C24BD0817CB5A9276291CE3272A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:28.847{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B91C76DC2F64DB3D3A34FA25789A554,SHA256=86E9C25F48D3212B5CF27256D23CAE67BFB02D1F41376EB3D258DEC3400F8893,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000391942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:25.985{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50424-false10.0.1.12-8000- 23542300x8000000000000000391941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:28.613{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85412830E4F5D1760007F43FE1110030,SHA256=913C47D1FF859632D1327B889FF0AE8866EA912E53D380A41CDF180BD241F411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:29.938{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255C1FD6F5B5D84E9150347EE1CD541B,SHA256=4F1A0A42D2F5E806F146C34522EC584CE83905A19C8EC5B00905A34EC5BD1E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:29.719{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54CB6C71FBCA7342B20AA4CBC8A2B83C,SHA256=6D70B7B03A109D2156A29F2E11F4A6F84A2A2D9E35253DE532E125112F74E963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:30.806{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB163F062F7AF9DEA5D06C82DA054AA9,SHA256=420B6327A1BCB9D6637F15003BF5C217620DE9D000707FB83E71E736FC42469A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:31.883{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CF6ABDFA2CA0AF3FDD507B3F411C75,SHA256=B3673E45A255FFB2D096430B140889C06CD79FACC0815D006F890CA5BFF24B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:31.028{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013ACBEFAD1FE84E04F977904635E58C,SHA256=1C3CB8B486CAB4B8E20FAD839C71101CA8DD4EF3B7C83D005212509E7B781563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:32.970{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53E82101386AEBAABACC9238A6CAB78,SHA256=710B6824877A2D8B17472ED5C45997326D4820AEC2E2C2087107097FF2D02502,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:30.590{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54014-false10.0.1.12-8000- 23542300x8000000000000000838311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:32.110{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A8E269DCF7872B276436877C9CE987,SHA256=7EA5C21F9B0D3B8B7423BE490A13C24872227A3D586A5E353B0CE3F7C9C82A3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:33.207{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8D8FC1A3F2D73A278DD23722830AD9,SHA256=D810B59A9BC3F33B48B86461CF8078985AD950534A8CDF63A81DC6B595409EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:34.285{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F39A72A90295C014B3C22BF2E6623E0,SHA256=B8599E20DFED3B5EC794959CA065F503D8AB61497FC2B8BC5EC8278894DCCE7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000391948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:31.962{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50425-false10.0.1.12-8000- 23542300x8000000000000000391947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:34.055{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0526EC0253AE569E98629B368FACD3E1,SHA256=18406CA066AFB47A0275A7E83810EF18DA8D3E7C32395D9277C9C640150FFD5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:35.360{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B433663C5A53AE919FD13CE078CF9AFD,SHA256=3559EBA50E2C4B9DEF9125D6041BF271E078F38351C9C77E4E4772EDBDA79628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:35.144{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F7E800DBB2F9300D5A4003172180E1,SHA256=79C2635BD2E79AB7958D5703D373DE4FF9F024CA1F5E654FD5B6CEE308AB43E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:36.649{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=87E984236A039FC240CC432B99CBB9D4,SHA256=28C1FAA966F9C401317122F36CD57F015A73ACFF5C01475109200FD44A4A9715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:36.450{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F881AFBDC1555870EB125A8CEDA63A7E,SHA256=AF8F829D3C6D5713CCA6A36D83E00D2BB880667E474760A7369E66BE8DEB6430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:36.217{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C087E8A83601C185A966413A24BDAE,SHA256=EE452567515998C8F87A17019CE9285B9190471A7C998FB3EBF9423C7141E279,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:35.673{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54015-false10.0.1.12-8000- 23542300x8000000000000000838318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:37.538{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CA8B3C1D8CA6D27FF7376E6F9E62E8,SHA256=03C2B89B195262B101497101D551FCA4A622DE90C3BA7E149FAA6907E98DA01D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:37.306{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308F1D7F311C5082EB23F3905AD806B4,SHA256=BA546E6009671BDB7247689DB7BFB037C37AE934980B374AD1A0D0F799114155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:37.118{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=40E34E61500C14681CE07CFEF055AD1C,SHA256=8D0CD9D9FC15FA59D7E6CA343EA94081228156884E4AEBB6C291AAAB816CE9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:38.390{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB5069998619C45FFC11C177F778287,SHA256=4C70AF9052988C66FC6177F97EE607C4EBCCB9CE619EDADCBFC491A1557466C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.333{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.328{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.319{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.317{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.304{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=66FBE1CEEA473AB454273827E5077124,SHA256=A7AD0BAFEADC8C9D4F58F9F08F89912776FD159C27D361BD3E4260799D7EE31D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.282{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.278{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.273{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.255{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.239{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.233{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.231{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.225{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.195{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.182{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.156{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.142{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.137{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.125{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.118{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.111{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.103{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.097{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.090{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.049{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.046{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000391954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:39.486{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB49D182E5DA517388190A97128BECF2,SHA256=40D5008BE58C27B2E4EF93F6E511E1518C71F653EF5633FD743741C1094929C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:39.141{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:39.039{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96A10A59EDF180DF1171004DED5EBE4,SHA256=F1AC1F4633F012F73FEB68E32B31E7A056513E5C2D0F292423FB6751BC6AF4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:40.588{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E1D3E5E79A8119746C4DE510B2E526,SHA256=42DAB8517C787829DFF2F305EAC7EA7D8D687E64649DAFC171A3513ACE5D8E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:40.177{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2132A0244E5163DCCF69C725E532021B,SHA256=101CB3F75BBB0CA60AFA88306EC8FB85DFB2C7F556A5F7127A72A397B9D16AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:41.655{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05431E102CA883482FBE220D98275292,SHA256=80B6ED93B1CEF067A1166610B2C6FCD0E4E2DCFF9DE3B2490D8E4AA39A34DD62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.717{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.714{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.711{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.708{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.707{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.703{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.702{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.255{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF5276D3F3BD0622EC7C0E22FF4E8AE,SHA256=0AE2ECDCBB2C9594645C0BBCC49456ACEAA206DB049013516444DF7983A36197,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.183{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.181{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 354300x8000000000000000391956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:37.841{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50426-false10.0.1.12-8000- 23542300x8000000000000000391958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:42.738{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A055C30FB6E210298A14E56F7C5BD9,SHA256=FDAA12CCB19C83D4DB4C1862C53FD95CDE682E6DF5385F52730DB7606E8C22A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:42.250{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE8826EE53AED1F89D01B07C9BDA1AB,SHA256=8E1920C02850435945BEE5ADE18C9CAFBAFE43C9A0C2B5753D449D8636AE2A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.987{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083BEAA96A5A98CC3232CDE3DD763E41,SHA256=FC9715A448D6AE387B7BF8D3217C44F6668F671F571547A6F69415A4AB25D0A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.629{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54016-false10.0.1.12-8000- 23542300x8000000000000000838360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.333{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95695E140D815FA38D318975EDB76CCD,SHA256=7171A55E6B667D2278783942B388DF29AC8E3D3E2423EDBF360B2D4C8DD46DE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000391987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.706{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.700{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.697{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.693{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.692{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.689{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.688{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.686{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.683{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.678{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.675{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.670{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.663{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.652{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.630{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.628{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.600{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.579{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.570{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.560{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.550{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.520{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.512{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.502{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.489{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.485{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.481{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.473{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.471{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 23542300x8000000000000000838384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.434{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88FA703435A3F5B7FEB7ACAAF25C628,SHA256=774B838BB4BF013D8208574C88BA10641C14D54D490FBF9A335BBC31F584547E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.309{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.309{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.309{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.294{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97cd2|C:\Windows\system32\kerberos.DLL+79ec8|C:\Windows\system32\kerberos.DLL+1453f|C:\Windows\system32\lsasrv.dll+2fbf1|C:\Windows\system32\lsasrv.dll+2dad6|C:\Windows\system32\lsasrv.dll+33369|C:\Windows\system32\lsasrv.dll+30cb7|C:\Windows\system32\lsasrv.dll+2fbf1|C:\Windows\system32\lsasrv.dll+17b1d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000838379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.294{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.216{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.200{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.200{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.200{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:45.521{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67315625865376602D4C5BD07DA201C,SHA256=6F47F7A0F996D97E84184660C5028EB8A9B6EFB63E916CA89CC9FE1112C87225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:45.005{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0083040CDFE6538BDCD378EB822D289F,SHA256=3AE0508B6B5CE7E3CF61AA7722925E8391B58867A64F136EECCB83459382DA20,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.742{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54021-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000838394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.742{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54021-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000838393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.662{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54020-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.662{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54020-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.637{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54019-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local49666- 354300x8000000000000000838390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.637{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54019-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local49666- 354300x8000000000000000838389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.637{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54018-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.635{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54018-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.634{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54017-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 354300x8000000000000000838386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.633{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54017-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 23542300x8000000000000000838385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:45.287{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34BF5FDE9DFAACA416AC79B71D5FFB05,SHA256=1A58B3F7D7908229B0A1627CDF24AB79AC531191B4C43C4114F8E2D04CB9BC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:46.617{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE114D6018FD436046CF7136E1B7AB71,SHA256=5CACAF8753B0DDDCA283C6FFE6753F0379767A1028D2BC6DB501536DFF10A1B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000391992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:42.931{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50427-false10.0.1.12-8000- 10341000x8000000000000000391991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:46.205{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000391990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:46.084{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BC2F12CBF792A7A6C63DA873A1ECDA,SHA256=49DB6F7648C896570DCB68BBB89079334D9DAE48C023C59ED70CDA0F9B9DC260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:47.698{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07333219C381A15A0488FB58A4122442,SHA256=9AAE301DF123C346D5B1E71F966FABAF063D15752A5CA0571B6FDB25A4C48F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:47.161{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E49419323031BF6A1ADD1E75277F197,SHA256=B6311DE3C52FEC6F4FA14B3F343FF5D5277B9447B43C759CEC7B8598F190C318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:48.787{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDF05720EE9A202419DF7F2052FC986,SHA256=9F656A4F8D9AFEE63A34254AC255170B05698C7B00B83D3C01FEA3FBC4293B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:48.249{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA86BD98F2DFC0CC20DBA421CE4DD386,SHA256=63D6F51F194F82BB0141CC651D9ADB4E7143857908DB25D483FAF8902C7A2021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:49.875{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E8152579A9E183EC2E84D0C7D5D288,SHA256=3184DA3E8561831A7D2DE0E6606E09A0B8873194A9626E80949A86AB92ED30C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22C9-6387-4E02-000000009902}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000391999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-22C9-6387-4E02-000000009902}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000391998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22C9-6387-4E02-000000009902}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000391997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.878{E56ECBBF-22C9-6387-4E02-000000009902}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000391996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.550{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.331{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FB4A09189DB8087083802E543F335C,SHA256=7F8F230FE42BFF03077A7CECF1872CF2B9DE8114CBF95859150A25BFF6B6A13E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:50.983{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB11C9FE7E6C7C1457A22219E1CA8CD1,SHA256=6BDCD8D4A42A10758BCFAAB9A704527848061560BA1451EDF9706704E6C19E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.947{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=857EDAF42BF8BEDD680F433D93D11F90,SHA256=296B42CD9875EE9FCDCE24C08BB7C472BC4157CB87F0D52A14D2C9C4EC94AD8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.838{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9A4D4B02A053A56C189F698B90FB768B,SHA256=B0466856A160F9B1924BDD42D91DA842E491C909CE576ED836453432578E3694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CA-6387-4F02-000000009902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-22CA-6387-4F02-000000009902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CA-6387-4F02-000000009902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.562{E56ECBBF-22CA-6387-4F02-000000009902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.421{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B45C1AA13BAD97DBE3E667FE836179C,SHA256=89DF82D25A2E4B73A46BF2B9CED0B138F90314EC810E3A98B3D740C19230C3A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:47.577{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54022-false10.0.1.12-8000- 10341000x8000000000000000392010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.061{E56ECBBF-22C9-6387-4E02-000000009902}14563216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.516{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290AC063A9BED51DDC86556330CE2AF2,SHA256=C546539AC8EC6396ADFFE339C019E04ADAD57BD930E6FB2D5E4E5D96EE227668,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CB-6387-5002-000000009902}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-22CB-6387-5002-000000009902}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CB-6387-5002-000000009902}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-22CB-6387-5002-000000009902}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000838403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:51.173{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000392028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:48.822{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50429-false10.0.1.12-8000- 354300x8000000000000000392027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:48.295{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50428-false10.0.1.12-8089- 23542300x8000000000000000392044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:52.502{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D00598FECA5B1B9EDD2DDBDEDB3E83,SHA256=8552DB62A93EF41CC6E1A683B7FBA5DB8ADC958DF64517CC1602B9AB1703CA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:52.802{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:52.071{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833C3334E6CBEA9240FC0215B91EDBE7,SHA256=CFE340A6C36B674129947FCBE1EB1DA24FBB909C673968B5B85BE160AC97F975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:52.080{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C88EE9D4BAA9B86563764D77A55DF4B5,SHA256=62849C813B27E7B2DF4111E46A364CB549AF0D68E44AE282EDB1A06B09D799C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.938{E56ECBBF-22CD-6387-5102-000000009902}2792212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.756{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CD-6387-5102-000000009902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.753{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-22CD-6387-5102-000000009902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.753{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CD-6387-5102-000000009902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.752{E56ECBBF-22CD-6387-5102-000000009902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.595{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C7D5B2BD424E1C734ACB63C3EA25A0,SHA256=FD4AE0ABA66F0CCEF4FEBE3E65B15E9C0564E87EBB78CF16CD4CC813F61A8FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:53.167{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4635BAAA6ACBF4DCECCB3C19360646CD,SHA256=9805BE6576FB0A4278065E4DC4EFE3281A4C51C3D38EBED82CAA2316329CC372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.731{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BEA235D480D57A7C11982D126B9BEB,SHA256=DF9E1AFD837B8451DAC67703D4968198690AB7417C83211F309F1EC0FA536D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:54.239{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CAC6A2B61714F31F78C913C959E2D1,SHA256=ABC3A412D9C142F1B23C02694CEC3A2D614C07F859DBD3883F391D0B029E56D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.590{E56ECBBF-22CE-6387-5202-000000009902}33323404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CE-6387-5202-000000009902}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-22CE-6387-5202-000000009902}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CE-6387-5202-000000009902}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.435{E56ECBBF-22CE-6387-5202-000000009902}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000838407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:52.229{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54023-false10.0.1.12-8089- 10341000x8000000000000000392099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.997{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.997{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-22CF-6387-5402-000000009902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.997{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CF-6387-5402-000000009902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.997{E56ECBBF-22CF-6387-5402-000000009902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.798{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FFE801B7A56F6F2DD86A1EAC0423B1C,SHA256=D05845913C5E89E5D273787E654297BF654A5F12CA7D52D5F9ED74771085A6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:55.328{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D77ED94320E2A32E87D124D445CA64,SHA256=3E5A9ACCE1370DBD7F2218F9CA90E3CD0C73AF492E8740BD5549E4EC986C4F90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.270{E56ECBBF-22CF-6387-5302-000000009902}1256620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CF-6387-5302-000000009902}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-22CF-6387-5302-000000009902}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CF-6387-5302-000000009902}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.115{E56ECBBF-22CF-6387-5302-000000009902}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000838409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:52.635{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54024-false10.0.1.12-8000- 23542300x8000000000000000392105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:56.886{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62118E05C1DF13461C42108F53A91166,SHA256=769D55457B63C6B4B28231F754F48A35A1755BC3CC73905448582545770FAF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:56.410{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07403BEB5482EB12A9BF505B58EF3298,SHA256=8B96C0029E8A7B71E639433FB7E5807044BE2D26EDA8B0E0346B0E37054BA58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:56.379{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACE1241B2B9FB679D638211F825876BC,SHA256=D505DED6385A3905972923CE11E8B5A1B426C9135828E7263BDB80BCB77C4731,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.890{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50430-false10.0.1.12-8000- 23542300x8000000000000000392103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:56.173{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F2057F9BAFE9A97BC5927AA7DC27BF1,SHA256=E4322FDA6D8ADF94ADAE9CB87CC14E9248980712D5D8AA454A9FD2D06F344869,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:56.000{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CF-6387-5402-000000009902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:57.966{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166FE241BED10DBEB0CCC0DF8778C06D,SHA256=7CC6F8331480D434D90738F2ABE316D5E0B7E6EAD1BDA91BE6F61A1ADDFA4A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:57.510{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C188B03AD88E4580A5CA891D0789F4,SHA256=C47314A01F4F4ACA92FF6DDE9246CE9CF8206E776949E7B1CD38444DC1BCDBAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.787{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.587{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFB76625094401AE016FD5B3700A746,SHA256=596EF5D44C8C936E625ADE39D8A8BE1BA0BF41E9F44D2DDAFF6AD8F764119AF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.375{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.372{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.354{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.352{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.328{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.325{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.323{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.309{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.297{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.287{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.285{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.275{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.222{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.210{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.194{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.185{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.179{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.171{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.162{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.155{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.144{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.136{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.129{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.073{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.062{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:59.663{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A21FFDCAAFD2E5CA902DC946747D9F,SHA256=A6A353E63867CA638DFBA5A1DFAFF491266F970BB267350C4C0835C758F6D78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:59.048{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAC2A2D728A44E0D0B38EFC22963AC0,SHA256=7CC8265CA788F1E5FE5DB0126F1718FB92C012BB73F07511485FFB50B8E2F9F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:00.825{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:00.823{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:00.745{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652C3E937D0520475B8DB3EE82654EB5,SHA256=48F63431F35082AFBCCE26290705A569FD53C01ACDADDE5BE4F5A639BCA6B739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:00.131{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE44B7FCEAD6AEA9142D752D71E70426,SHA256=32E5D410271F5356E5CBC95C2A19A636F432C66D55CDE9C7A7D540E89B35959C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:57.637{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54025-false10.0.1.12-8000- 10341000x8000000000000000838457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.865{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.865{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.864{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.847{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3100-000000009802}2952C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.831{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8E6E5388A24D126E0D4638E63C2700,SHA256=2DFC15C03C61F83DF3EB17843CC710B50115E2E98226AFCEA85BEE6096E681E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:01.206{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1917C71BCD37787826274446E4E6A2,SHA256=300B34EBE5B3B6F54BB290375DAFE31A1A23326E61F1D8273573B2247967328C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.353{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.348{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.345{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.342{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.341{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.338{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.337{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:02.913{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F716BF95FC8B9EDBDED8B4FA766BF033,SHA256=150B696E65C75B5B231D2466E8E9BCB7B5B67204137AFB9DEEEC74D378C9453E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:02.850{8A63456F-1471-6387-0D00-000000009802}9082236C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000392111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:59.798{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50431-false10.0.1.12-8000- 23542300x8000000000000000392110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:02.296{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B339B9354EF36F3404773EE0089ADF,SHA256=92EFCC93D183EAF6A5E940C1BA3FD69E76E14C02AA6FEE0C75784377913C22F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:03.882{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B7A043CE11A068D12770133BD10FA5,SHA256=305BB02744BAACB406E2062368397B80B9764AEF45B642EB38286A03BE1B6BAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.693{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.691{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.689{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.686{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.685{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.682{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.681{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.680{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.677{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.674{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.673{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.666{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.663{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.657{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.649{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.647{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.635{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.629{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.619{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.613{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.605{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.570{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.555{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.544{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.530{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.512{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.499{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.486{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.480{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 23542300x8000000000000000392112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.386{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E9FC48E09BCDCA9CF312DA143194BC,SHA256=367263345596D373F184F4EAC45153224365267E8D8118CBB142AFDE67837CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:04.958{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57436D3EA5C1697B1892EE6C63B20E8,SHA256=E41BC03A269D682D12B7FE273209001C74864D5612FF9A5029FD283676AC2F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:04.830{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5968AB9213E71DA284BEF28AD52030A9,SHA256=A2F8F24D747F0767C0B734F66FEBE8DADF758C2DA02F879C6C762A3C9DA982D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:05.903{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C1E07C71DE47B3D1383D07A7E5CA80,SHA256=85613F914805FD0439C93491F84E70D2CFED8B2E3F0986E58F2801489129954F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22D9-6387-5402-000000009802}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-22D9-6387-5402-000000009802}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22D9-6387-5402-000000009802}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.810{8A63456F-22D9-6387-5402-000000009802}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.342{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=567EF1BE79BF0A990DB99786A8D61E46,SHA256=D8F4556406DAE59AA41B66915DA2C8EB2440CB5D4DEF4F0129DB889665B6DA04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.311{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000838477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.311{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000838476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.311{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 354300x8000000000000000838475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:03.543{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54026-false10.0.1.12-8000- 10341000x8000000000000000838474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.147{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:06.994{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1868DC2EFEBEE335CA3F326A1BBFE2C6,SHA256=0CF656EA74FC86A969CAB3BFFB9C78F7CCAE76C02879EFEDA591478CC284F3AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.932{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1EAC6CB3D9E0C50E8205C4FE5DFADA27,SHA256=678318F55D32CC978B698FAB283B4096BB85E054FD957BD0C8B0AE73A1642C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.503{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E01F25C0DFC20EA7D4E0291AC36AD14,SHA256=E58BE14522268CD0CD293B6495B3ACB9BDECE649C1633FC6D38A3B7DA84B625F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.503{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED8858D0C3A23F0ED48912DD4E908818,SHA256=050282860F200790DA338D8AD17B1E16277D41F316A95A56406E7F990CDD80EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.487{8A63456F-22DA-6387-5502-000000009802}42404460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.313{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22DA-6387-5502-000000009802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.310{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-22DA-6387-5502-000000009802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.310{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22DA-6387-5502-000000009802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.310{8A63456F-22DA-6387-5502-000000009802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:07.363{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D1263A2756885FBFD8D863924B53D0,SHA256=A2EE89367AA832ECAEF1E2918163939BEB21F336099E3862E4663071878ECBA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:04.889{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50432-false10.0.1.12-8000- 10341000x8000000000000000838525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.801{8A63456F-22DC-6387-5602-000000009802}43724156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22DC-6387-5602-000000009802}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-22DC-6387-5602-000000009802}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22DC-6387-5602-000000009802}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.540{8A63456F-22DC-6387-5602-000000009802}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.435{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C431BFF40BA33316CC67371425CB9A2,SHA256=9D7401B26722AE028C24E8997F1281E0146965139BD5B4B6AADE5FB245C3CB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:08.335{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7C4B9A1B04C2AFBE542CC66324082F3F,SHA256=D9E6395CC9EF9B21BF14E618953CB2406EA6AF221455C1F872D54AF8939299B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:08.077{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333F9E44F1177B0FAEB593E1A16F670C,SHA256=C8FC0387C7E2DAAE9C8B0A3D99E7BAEE148910161EC90626223AD41D2290234D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.982{8A63456F-22DD-6387-5802-000000009802}46123084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.903{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8EC9874CFEF61323BDA954EBA550B6,SHA256=D0920B612904F3F7DCDC691E1AD1A3619379DA3AEB96151F055D967412D5A98E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22DD-6387-5802-000000009802}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-22DD-6387-5802-000000009802}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22DD-6387-5802-000000009802}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-22DD-6387-5802-000000009802}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:09.488{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-059MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:09.159{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850AA579533643681B6D90DD9042B3C9,SHA256=00D045F7732B4A22EAD5D98939C26D4E31AFFFB3422A0C5F97A3EA8D0E0132C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.784{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54027-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.784{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54027-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 10341000x8000000000000000838539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.316{8A63456F-22DD-6387-5702-000000009802}28284248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22DD-6387-5702-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-22DD-6387-5702-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22DD-6387-5702-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.052{8A63456F-22DD-6387-5702-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:10.849{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE17B0B280EEBC1FE4C73AC03C191AE,SHA256=BE0ABC51E5FFB15B56E613E1A604A9205AA0C2029C29DABF5A8A58597D9BB210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:10.490{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-060MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:10.243{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FAC14D4C6AB5E2ECCFD7E2D6025B2F,SHA256=6C220663F02A718070F1C2038277D49BCD23D5DCE63C5A480575053EDF0D3272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.929{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED276E1AE911D9580DE9D52A19BFFAC,SHA256=1112B9B52713E854C6648D16C58BBB46E23D211477052235B1B99D740F18CD65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22DF-6387-5902-000000009802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-22DF-6387-5902-000000009802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22DF-6387-5902-000000009802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.867{8A63456F-22DF-6387-5902-000000009802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:11.313{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EC9336C4C4CC502B9E2443F3D6E9D0,SHA256=FD672E8E0338B26A4D6F91632339F867DEF72078DA4F4FB9A73A482F2D4B02BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.580{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54028-false10.0.1.12-8000- 23542300x8000000000000000838573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:12.900{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=762CD888FC8DC724104343E2F9226B7A,SHA256=C68AB2324F05C2F2514417FF391AC79D2FF114358CA5C0D6FF934FE68E23D116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:12.401{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7E304A4459E533132E6B74470F3E62,SHA256=A1644A3DDFF2E5A37D6CFC0F5894595B22E6D747F9D72463C199B4253807D347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:13.976{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56820AC88BD1B0324517531539A9DD8B,SHA256=F87A255778199EBEDF7941D009B6A323F8C265A49E1A24FAAC87B373B279014B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:10.850{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50433-false10.0.1.12-8000- 23542300x8000000000000000392154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:13.485{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2DE4EC40EEAFB5939A225A94F7C253,SHA256=555FA0CC84D8FEEBB3F2044F39ACF5BBF854491D5F6BAE4950B52B82E409A576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:13.009{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54F6941C4AF22ACA1DAED50D9218DFB,SHA256=8B382EC6FD01F6FEBF019827B535320A6798EF025D57EA95F51687D89459496B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:14.568{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C4689DBDE344A1ECBF055251DD9807,SHA256=D103D1A59CD8BC624638BFCF3BF795CAE435298DD5D63D8D37474C1E856D9CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:15.641{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEA496B1BF707759922D158A65EFA0A,SHA256=8809C6C0EA41BB3E57228732C53DCDEB1ADFCA49BF27046724AFBE9793441563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:15.065{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F899B1B983B80A11E4CCCFD56B2B8ED,SHA256=955DBF2727BBBFF83903F32C6B8D846D2B305A6FDC4A1F9C1AA6545492B7AC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:16.717{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148C28DC70373F3F52287E4BF828AF2B,SHA256=4F7E8F37729B9697FD0DA3E5F4991EDA1DB7C7B6369AC0376A58DC215D4DC74E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:16.150{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F370DC605F1918B1A5A09992EE9336,SHA256=A5D64185873CDD07D56372862528411DC12FA591B6BBF551688C28236D640187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:17.805{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9C07C9664D5539F01AF4FF77566471,SHA256=786C89A46761FDC63D7BCB0B5B07E27D587AD732BD137C23219FA9B670E506A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:15.577{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54029-false10.0.1.12-8000- 23542300x8000000000000000838578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:17.241{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A7C07ABD424494A49F49813AA2D233,SHA256=235AEEC486166685516FCF2187D7CA913887CC0B99D43B599128CC7F3BD87F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:18.873{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858A5EC5DD154A6F759800BDB2FE61D8,SHA256=C8CA1E02DC39BD4567AAE38712CF2458B809F37F714443980FD511F3885721FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.855{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.325{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000838604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.322{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60F5CF9F41A96B27C7FF32752250243,SHA256=079133FDEDA9EEBF2502C3A8FF911DE335C2C80DFF0693C0E9D74BDBC293A9D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.312{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.294{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.293{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.244{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.240{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.236{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.229{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.223{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.216{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.214{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.212{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.186{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.180{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.162{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.156{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.148{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.140{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.133{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.125{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.118{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.109{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.101{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.048{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.045{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000392172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:19.970{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A5D9FA28141AA0305D7802F1167EB1,SHA256=C474426338CF787F2D031F5B6116F3774309C0DDFF16280A45EFE60207EA2DDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:17.902{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local53831- 354300x8000000000000000838609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:17.902{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local63259- 354300x8000000000000000838608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:17.900{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54354- 23542300x8000000000000000838607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:19.260{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0096E9E02FA15D5B5EFAB7D926299463,SHA256=08BE3B3A0E10F8D37DECA6C83A20AF6EE87B55A42C56A6156217D5542C82AB0C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000392171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000392170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00388feb) 13241300x8000000000000000392169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90496-0x1e512d5d) 13241300x8000000000000000392168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049e-0x8015955d) 13241300x8000000000000000392167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a6-0xe1d9fd5d) 13241300x8000000000000000392166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000392165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00388feb) 13241300x8000000000000000392164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90496-0x1e512d5d) 13241300x8000000000000000392163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049e-0x8015955d) 13241300x8000000000000000392162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a6-0xe1d9fd5d) 354300x8000000000000000392161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:15.957{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50434-false10.0.1.12-8000- 10341000x8000000000000000838614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:20.907{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:20.906{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 354300x8000000000000000838612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:17.903{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local62860- 23542300x8000000000000000838611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:20.362{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A29B7A30849BE6B19C6EF2A4575D43,SHA256=1EB58CB09F29568E11860A297D081E2CBFADE0365C333328DB8D05F78C2D5B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.446{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87ABAA1F9DAC775390499714D4A4B1BC,SHA256=D48DAB933832151C7BB8AC1AA3AB7C474D3545F975DDA4DCD1236305516216AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.443{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.438{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.435{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.430{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.429{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.425{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.422{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000392173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:21.045{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F68D7B32D7758322223D666BB6FCBFD,SHA256=AF8D305D79B4BFE781BA49EE0BE0B7FBFF49B365F09D98D4545CEA80C2757913,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:20.600{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54030-false10.0.1.12-8000- 23542300x8000000000000000838623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:22.520{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C85E6DA3C9FAC7402909E4E2CDC686C,SHA256=424CCF4EDCF7410DA38CAA8CEE167A9C0B7BAD344C97E55162656BDD7C8F649A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:22.317{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DF3F859363A00277C034E498CE311FE5,SHA256=E46B9DF97AC9273DE98F1C344C380F414F0A3BA7CABE57FE2566191496A7888F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:22.129{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7BBB532F05FDEFC1D7320B1E679C4F,SHA256=E9220253CCCF382669AB466B039A1FDD135F4FCE23770056D324B216EF2AD13D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:23.859{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-059MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:23.597{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494DD48E3DFB2DC192313A457EC0FC74,SHA256=EC211C84F393CDB370F57C7B870F224640C0378B13C6BD65609D36B6DE67890B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.656{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.653{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.649{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.647{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.646{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.643{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.641{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.640{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.637{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.631{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.630{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.619{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.610{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.602{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.592{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.590{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.575{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.568{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.560{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.553{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.547{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.523{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.515{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.509{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.501{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.493{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.484{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.478{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.474{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 23542300x8000000000000000392176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.217{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CBF1F36C2E42E509093D9C1C831C40,SHA256=0F968F2FA192589071B317971555D3C01ECD77DB0ED637E4658380CA676651E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:24.868{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-060MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:24.673{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08390C76CA13795BCC4BF9A19297C633,SHA256=B2AD41D9D4B05664F96B3FA7904C1FAA7DB14C68A64F9FC82E308B6B46B99F78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:21.945{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50435-false10.0.1.12-8000- 23542300x8000000000000000392206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:24.753{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9817F204CAE954C9849008961DEFA3,SHA256=D44156423A47FCA93D32364F8DF4BD933BAD07C6D8828A5F79DA98759105CCA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:25.760{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A6743CF06ED1CB56AF9ECFA70F9368,SHA256=4D07F688AB46B855BDCEF57F710CDF21E6C90B5A275586542F3DC9B5EEB1EA9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:25.822{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBBA313B7543A1093A707D82BD887F7,SHA256=508F4D550B54F2AFBF8BA9250B773A6CFD2C828C3697017CA85625BF80BC9125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:26.845{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687A01574A42B0C4402CC5E514CA2531,SHA256=06EF92EFD1B8ED8D9D5E478EE021C3619617C1D83E8102DEDBFAD55B860BC016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:26.907{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10F0FDCB7E32C16704502FE302BBCE6,SHA256=18CB92281C2684CBE93BB2DD7AF79A8177D8F540B4AB1BDCA8C6DED7EEBBC024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:27.940{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E15BAB2A8E4461E4953ABECE0D98F2A,SHA256=78DE7F2687CBA1B2EB0F0EDF97C98B16F266479C3111A98E0E0A7C4DCEBB1453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:27.986{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5ADFC5F4EA6CAB732B416634FBB57E3,SHA256=5D5837CE51FA107E2F8D7F5929D4494377C9AA8FA853BE0245D6A2C5AEE307D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:26.579{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54031-false10.0.1.12-8000- 23542300x8000000000000000838632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:29.012{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CD703557401A39CAEE6E1EAF9978E0,SHA256=46B73FD4D57A2B63782306757793E0B2868C5ED487B84883345C902476EDB526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:29.065{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3517DA6CAB24458A4B2B92BBA3D9E6AE,SHA256=E57F24873D7D60A9C8A5B5B60F6D6F7B74A06C0AC278F03B150D745F34B9C3F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:30.151{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1255A14751037F9E73C66FD21DB52A43,SHA256=AC841FEA6B7CFD404504862844505DE785133DC806B9462246CC9DE0E705EF31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:30.081{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3753816A75FF537552F3748045527EC,SHA256=13677EC9D4556A603A7369E64896447C5A4DD6FA1DB9DC182FC696197524BEC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:31.244{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D455896A982187209F50FC2710D1C48,SHA256=13D60AF9E7EE6AD1A861A6C60C9EA1302271BBD895D9657A53F03A2EA6A4C195,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:27.857{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50436-false10.0.1.12-8000- 23542300x8000000000000000838635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:31.151{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269E751DBF67BCC001D27627867ED0C6,SHA256=3FAF41108ADE89B84BDECEE06DCEE58BB608785AF99ABE26F12B100943A9BDD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:32.331{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43954C1EBF9370E3F3073DF605BD576,SHA256=24FC07EDE9684A37B810B9D05AAD85DE6AE0D7326B595B8A7904DB9518C70700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:32.243{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248EF69503AA921A15536C337B8EB295,SHA256=AE8F444FD8EE43E9432909179738E371CC17C0EDA9CDCE6D1281033EFAEE7228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:33.409{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DF3EF846617D73D46A11B4951DFF46,SHA256=99E31F77AB799C7E0BE52FA8D6104D864D2F0A88CD30C289B0C6D1A65AB68E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:33.336{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D643E263B75951D374323A8E183424,SHA256=31627454537E6DBCB6143E95F67E45A0C2A232139949D642B35E269D971D9CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:34.499{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E095B64E23A304F97AD9C20616232BF,SHA256=7615B5A9CA2A9E838C7759333CBDE7494EE32438554F9905DF0E723347284D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:34.413{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53457C9610A67043DF4CFB3A43B8663,SHA256=E8C9B9D00811C2204E40C747927173F6D8A9B335FAEE6BDBD61AF1C265A15AC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:31.624{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54032-false10.0.1.12-8000- 23542300x8000000000000000392218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:35.606{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E803381387F2F64E8A565CD44578698E,SHA256=C3CCEB09C457FD388F076B7ABF238237352689D949380F364DB7FCB621B82819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:35.496{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF78397FDA18381C9337EC18D8A70D49,SHA256=B182F591CE1C59C1FAEE4B7E708136AAA684943784336C786D742623FE0D8F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:36.698{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7900E6BC2FA32F0F234B844154D01954,SHA256=53FDA99ECD56A5C545FFFE2FA2F4A1BD508B97D8AA9B3F6E1092437BA870F5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:36.594{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41C6789775676E8DFEDBDDB02D065B9,SHA256=7C86D7CDDE8040AC448D2957846FDA048D2C395DEFD617DA9C76B75602995B49,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:32.868{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50437-false10.0.1.12-8000- 23542300x8000000000000000392222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:37.793{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0E73626F3F4CE364FC30C3D6522BBE,SHA256=388667F25689BFFB627DDA581BFEE278E70B8C49FEE859BFC33EA160C9BB54BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:37.685{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072015BA9112FF6E10D9AAAFE11588F0,SHA256=4FAD169593B7CA85B26104638A2C1A593E99BF15273B68254340C7EB4F409C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:37.121{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2999A2F24CEF698EF5774989F3AAE6B9,SHA256=DCF4485AE1F796E4217F4CF893BA64D12C0701382342C64FDE9120E5E56C619B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:37.159{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1400A84FE1FF6425B6EB0A1823409C56,SHA256=0553837B277C5A6F070DB65B1C961B0D27E2D427A4ADDF3BBFD5E07E60C64DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:38.876{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3AC4153F9AE93B49C69297378521F1,SHA256=0EAFB7464294FF388F78859AFDE5700D5844DC64A29D73187C780B0084D7396D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.793{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 23542300x8000000000000000838670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.735{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BBE8C549E7F4972325B137AF0B376C,SHA256=0F1D3493BC3B4779BD78DF2598D207BA7FFDF54C359281A8FE19DB52EA29F108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.304{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7273323F9F94CE66E70AA6EE7D3F93C2,SHA256=EBF1128001EDE05C8977431D320B5D771A5BE44113788FD674F8506ABD273D03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.273{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.268{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.262{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.260{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.243{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.240{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.238{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.233{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.224{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.217{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.215{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.212{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.190{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.184{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.173{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.167{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.159{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.150{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.139{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.130{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.123{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.116{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.110{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.060{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.057{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 23542300x8000000000000000838672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:39.834{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D82FA72D3E0EAF81B117A0729232E3,SHA256=1A424EABED93B1B6D94E52BA075799CDF45CAC1661C7E6C7FFB6AD3D149D3DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:39.970{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB23939E4AFADF0F05FAE6A18BA66EA,SHA256=D96A2F97D5B8BB53A8601979D1C6C11B390CB4A859920D5164BA6A2286540B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:40.903{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4638037D8FE0D91866A39EC8AB95CF16,SHA256=18E5EEA2B6255C04B8AADED675E603A1A54A4BC0FD1BA80F6B9004B27C683A4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:40.846{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:40.845{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 354300x8000000000000000838673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:37.519{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54033-false10.0.1.12-8000- 10341000x8000000000000000392227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:40.317{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:40.317{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:40.317{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.868{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41087EAFF22A73256C98AAAD59AD4C87,SHA256=F0183CEA0471B14C06248D2A12577E1E17AD58D92F561FE13C0BB862C97A4C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:41.046{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C0788DC33309360468466A6F8F1D47,SHA256=DB2164B4F7458B5A57EC57CDD43F2AF5C760317FB2E42ED3D3C39C4EE7CE95BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.376{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.373{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.370{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.368{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.368{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.365{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.365{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 23542300x8000000000000000838685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:42.948{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B749182E269FC02946930AD6467F351,SHA256=A802BD36B2C30B49F805823995E796CCB7C2EAA42E4F69AE22753C7E0CE649D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:42.144{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755E7F358C9795A4FCEAFEB8E3B95141,SHA256=CDE31A5851DB18D2C0A8E59761E3B8E3AF1533AF3F7526B333E4C96F30269681,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:38.802{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50438-false10.0.1.12-8000- 10341000x8000000000000000392260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.663{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.660{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.656{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.654{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.653{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.649{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.648{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.647{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.645{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.641{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.636{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.632{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.629{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.622{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.614{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.612{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.575{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.570{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.563{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.557{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.550{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.524{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.519{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.515{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.497{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.494{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.489{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.485{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.476{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 23542300x8000000000000000392231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.229{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C03389C5D5E9688FCEE23846451C93,SHA256=CE5263A5494E440CEB6B011CA186B1E7F68127EF0A314938725E7FD5B88D85FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:44.384{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6540EC4CF68E78E4D873DB2B57580BF5,SHA256=277886B2B7539DC59E11955685F2CAB1CD8D650605FAF8CC74BF16D641405529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:44.029{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F0B6BA8FF701EDA5E7970F0412E474,SHA256=CD63CF825F6F1E84AC44C998DC5EE1FFC568EFA6FBE0E624A881A7D9DCE95A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:45.466{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5235ADF3434A1B7292F3DEDDB46EC763,SHA256=2B0050E4E26A9B841F204C634E1157672A114A09F03A617CD86A09D52492A1B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:42.657{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54034-false10.0.1.12-8000- 23542300x8000000000000000838687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:45.111{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6005F5AFCCC4AAD0C924E9B1DAA1BC0,SHA256=AE34F5287778878CA5119DDA1BB53599B07317AD7677D1BE8E4650B54F199B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:46.534{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FADF9C0689F5E0C12C868883A08F6A8,SHA256=2F880502344A4B73940F65BBB0CBC2AD1DA6345CCDA0200B7437F2E941B2453F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:46.199{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CED89BE921693C12DA043CA4A5DC86,SHA256=1661171F8DB97B2A31B7B6E840A8AEFE8B567FD8F119D6B21CCAE8D6618A0BE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:46.223{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:46.223{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:46.222{E56ECBBF-146E-6387-0B00-000000009902}6441464C:\Windows\system32\lsass.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:46.204{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:47.723{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1548F386A423249BDB7CF7E07A79003,SHA256=8D868C0903D9127A9B3E7709E5E4315456603F18F03A18AF634677FC82F749EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:47.281{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682EA953E97E187D279E71786788D12E,SHA256=88A6103D1EA1E4589767422AC039108B86ABB43354372E82153618765812CA5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.938{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50439-false10.0.1.12-8000- 23542300x8000000000000000392270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:48.922{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1B8EE31F20E11AFF04446A1F888486,SHA256=2C7BC4EF23FAD81D678B5BEC72215CDCAB100DA3A56CD8F676E51B5536E6E055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:48.377{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0070B530591B8720C541C0D9239D9708,SHA256=3BC101EC3F4EF673B494F7338A5DC79CAEBE7E644AD604B29AD6731B70436728,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:47.691{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54035-false10.0.1.12-8000- 23542300x8000000000000000838692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:49.455{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775DBCA9EED45CBE7ACC1EAEC59B2223,SHA256=CF5F3257A6A8884BF276C06A773AA4E2A9999501599E411FDD15A9301D476B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2305-6387-5502-000000009902}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2305-6387-5502-000000009902}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2305-6387-5502-000000009902}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.900{E56ECBBF-2305-6387-5502-000000009902}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.571{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:50.537{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631857BD7023C357A53A344EE7BD01B5,SHA256=9A586492FF89E7EF4A12E24E43B22A8F805B77D2025D8FCF2C6B0DEDB61DB191,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.558{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.558{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.558{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.558{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.558{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.558{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 23542300x8000000000000000392300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.545{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EF4C82E606D72BD414D8169C08E1278E,SHA256=63E3F442CFE1FE2DB4032DDC170B534CAEF4732CE45EBD41FDC2E7882F0C7ED7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.443{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000392286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.067{E56ECBBF-2305-6387-5502-000000009902}13642956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.050{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07AFB634A8836CB22FA737DEA69ADCB,SHA256=36EC73B5AEE59AB3750DA49C281AD610CCACB893E22DBCB2E6A814CB4E53AF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:51.611{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F083B62DBEE3B601EF453D7EACDB452D,SHA256=5AA480564425889996C0AF8A95DACC3C2831A335AFFD01BBC863EEF4BED53177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.559{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4C56A37652326BDCEFA774EC89CED10A,SHA256=35BB9A5F5D1713D4DDBE33DFE9554C0C5F8230511088CBAA724160EABA443E45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:48.314{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50440-false10.0.1.12-8089- 10341000x8000000000000000392321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2307-6387-5702-000000009902}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2307-6387-5702-000000009902}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2307-6387-5702-000000009902}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.466{E56ECBBF-2307-6387-5702-000000009902}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.137{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B54B38E0781F7C3D49339026B9064F5,SHA256=8E73549A52B1007F4C8D6D897C034D53A8A24BBA8FD97AA4C0386A15403EAB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.000{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D05D22CCFA580B31713AD1D6669E8D39,SHA256=194A21F16CD7C1AB4788DBC674385F171E90B51A2E266339AF09CA17FB6F485A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:52.827{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:52.686{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FCB2DDDF4355E91E759C4452F43757C,SHA256=B367290A7A65F95DB8AF26F43A0179E217CE6E4C8C9B1D9BC79570AB175AEF15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:48.966{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50441-false10.0.1.12-8000- 23542300x8000000000000000392324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:52.217{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0262F77E25D969B34D0A8C09A1A7C5F3,SHA256=317071295C60845661D59772EE0BC5AC4DE43B45A0AAA45202C4950B6C1C5557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:53.780{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F375E8F30DA3F4E9DD0973D2D404964A,SHA256=5CF6660C524518196684D0FC00C853B2E2A98A92F0EB7AC607D47224CA23CE95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.883{E56ECBBF-2309-6387-5802-000000009902}40923696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.724{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2309-6387-5802-000000009902}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.724{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2309-6387-5802-000000009902}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.724{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2309-6387-5802-000000009902}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2309-6387-5802-000000009902}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2309-6387-5802-000000009902}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2309-6387-5802-000000009902}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.691{E56ECBBF-2309-6387-5802-000000009902}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.299{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5EFEABFF1B50E0410833A60F1E1A77D,SHA256=38BDD220D5140B852C81D7C343242BCFF831114DD5B55A261967FB5DF223BABE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.551{E56ECBBF-230A-6387-5902-000000009902}32522304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.394{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35E90F24A9FC3AE4190A463A720DE24,SHA256=22FCAD3A851EB690B858097D53EB033B8EEA1743E95CE0B22B3837B6F98BC801,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-230A-6387-5902-000000009902}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-230A-6387-5902-000000009902}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-230A-6387-5902-000000009902}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.364{E56ECBBF-230A-6387-5902-000000009902}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:54.856{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B905AA96510AD2D81A628E59035E1496,SHA256=E865BAEE4694E50D5F406A7BDB7B92E4E5AA3B95A31AA546FC75A5B49BEE3108,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:54.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:54.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:54.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000838699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:52.255{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54036-false10.0.1.12-8089- 10341000x8000000000000000392386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-230B-6387-5B02-000000009902}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-230B-6387-5B02-000000009902}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000392375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F31E0EE2E1B75C73A1FBAF23607CC6B,SHA256=BCED44C416FDEB8FA8C425AF3335228093447864DBE58A0A467BB1D7615D022E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-230B-6387-5B02-000000009902}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.970{E56ECBBF-230B-6387-5B02-000000009902}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:55.855{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5D69D73A216027F01665355D900B31,SHA256=E747076FBAE1BBF4DD57155A70BAE73A25FAF166ED67C812B31EEDCBE35480C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.237{E56ECBBF-230B-6387-5A02-000000009902}39561884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-230B-6387-5A02-000000009902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-230B-6387-5A02-000000009902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-230B-6387-5A02-000000009902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.025{E56ECBBF-230B-6387-5A02-000000009902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000838704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:53.583{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54037-false10.0.1.12-8000- 23542300x8000000000000000838706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:56.942{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9129AA5C87BB2797AB82473E719471DE,SHA256=823F8E233E6AB9715A3686CDDD8846E32362F5B452FCE44FAF4A915B37D33E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:56.114{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4E5E68321DB748CDE416F36A1537196,SHA256=885CF60701375D5337A13B68367B76C975BC93CC84F77F38003D3A1AD2895763,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.945{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50442-false10.0.1.12-8000- 23542300x8000000000000000392388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:57.015{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DF6C3D34A6B9EF6E68A90C0678355F,SHA256=B55F2E3AAD2DCC4CD5E86DAECE2D24961768B03C596E21CF69E9DC7DE389E7A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:58.123{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B7B45CE3CFA263F771318FCB491E69,SHA256=A2AEB1C82EE8D3BA9F7A94329CAB0259CF30043E14791C6C420671EBCCD0EF2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.676{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.261{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.257{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.249{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.243{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.223{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.220{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.218{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.213{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.207{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.202{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.200{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.197{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.172{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.163{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.147{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.138{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.129{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.120{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.107{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.101{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.094{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.084{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.075{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.050{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.048{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000838707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.018{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EAA59CB7D008B59355A6FB69757C2F,SHA256=F076FE64881C1C89A4C1F357668B7D5164BDD81A514048BBDEF88B3CE1AB62B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:59.209{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596F23E0C9B95DFE3E65777AA49E7C8C,SHA256=065DF80AFC33E94F6B98B4D978FA050A97A4E82C4179F0EEDBC3A87C8B874885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:59.059{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12F7E4AAF4BC7D2478DB23589712A03,SHA256=11538EBACE666DB74B399CAD74A04BE53F9B4978965BF717DC8FA0857D309C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:00.304{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF94592647EDD9FB8FE5B83F90BCE60B,SHA256=468CECF8A567C429E6EEF70DF091B55E011619CC8CCA10BEDF109887A7C1647A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:00.713{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:00.711{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000838735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:00.140{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222419E5F8BE9E91ED28F7D76157FA4C,SHA256=0E4F91810E71B82D21431A2A35A95D1D13A548CADE30F4283165452B6FB9B4EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:01.389{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDFA9591AD57735E325EAA0F195D9F6,SHA256=74807FB61627E66EBE6DD034113308F0E6CB9BF0ABC9E8D0A8ACCB1A6DC46852,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.849{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3100-000000009802}2952C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000838746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:59.539{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54038-false10.0.1.12-8000- 10341000x8000000000000000838745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.238{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000838744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.234{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74FAA0B11695DC0C761FC65CF4444D1,SHA256=2D34D8FC54291EDAF6CA3F069817EAEFA2F4FD97A755500C6EF14A7E506CB02C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.231{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.228{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.224{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.223{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.220{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.219{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000392394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:02.462{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2767DF2E8E674034AABAE175AF2CC47C,SHA256=965BC152F9D4A2438CC4DE1B89DBFA7B4252E008C769B89C83DFE890E93401C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:02.314{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F013E3DDF3E2401F7E12C5B24ED8A2A4,SHA256=B73AC9B8964DA12302E7FC7D1C1BD71FB6320AE3CBA51868F3E3CBD3F670EC4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:03.396{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F78A16A66F209D004C82E94D7F7BFC3,SHA256=09EAAB6BD432FA368770201123EC9CE1921EA1D250E121CDD6423CA265A98206,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:59.991{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50443-false10.0.1.12-8000- 10341000x8000000000000000392424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.634{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.632{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.630{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.627{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.626{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.624{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.623{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.621{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.619{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.616{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.614{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.609{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.607{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.600{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.594{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.591{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.581{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.575{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.568{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.557{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.548{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 23542300x8000000000000000392403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.541{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CF440728708959BBA1928710C7220C,SHA256=FE4FCA90FBAD02224BC4042A1D0C28A83A021896C56750F47577050FF2D78137,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.519{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.512{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.507{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.500{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.494{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.487{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.480{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.478{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 23542300x8000000000000000838750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:04.480{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA58F1ACD6E9E6C50B8151B2441B179E,SHA256=158EED0D6BFB3316CEE093C3034D41C154D839C0C8FF301AF6B137B46FD5B5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:04.638{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F13FB1C1E2A4FC55534F9AF4D19C32,SHA256=E56B0B95ADB8CAB271715486D4897FFEDABC76A88CBE87EFF28686356721C3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:05.722{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FEDEB86540220D7B45298BCEEA82E9,SHA256=B6B858002F1A3C18698FAEEF95FDB4B596F6DACB9BC096B0AA2D5678DA483183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.850{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B5EFA16ADB11D9D83804EAD2DFAF66BC,SHA256=75A43280538C5C4B5014C778B0E56AE0FF0261569D32CA4B240351815923A3E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2315-6387-5B02-000000009802}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2315-6387-5B02-000000009802}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2315-6387-5B02-000000009802}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.826{8A63456F-2315-6387-5B02-000000009802}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.578{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66E0E0E89667B20740A397F9D4E9C39,SHA256=4948D20310655BE1566E8C4549387211B6F4949352F9253BC57F91E4CCDF7F5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.351{8A63456F-2315-6387-5A02-000000009802}38644456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2315-6387-5A02-000000009802}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2315-6387-5A02-000000009802}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2315-6387-5A02-000000009802}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.148{8A63456F-2315-6387-5A02-000000009802}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.973{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD7661243EA124C7BB8B1F6F0E38841,SHA256=4A3BB3718AAC009280B9C45850F6C07E22ECA9A53C7A7B49BCDE366F328CB22C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:04.560{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54039-false10.0.1.12-8000- 23542300x8000000000000000392428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:06.811{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC98EF88277FBC9CC407F31261628C44,SHA256=0C8DFCEB3B0B2758C95DCF0F1C2650797B1B1B4AA621B1EE30A0E520F7B5C3C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2316-6387-5C02-000000009802}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2316-6387-5C02-000000009802}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2316-6387-5C02-000000009802}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-2316-6387-5C02-000000009802}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.179{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D219632E1D93569684AC320D8CCB10C,SHA256=E212121498D80113FA60C7090359121ED6A9BC8F4637E398D9E88833949928A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:07.948{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F008B49B2D135F8A7E45DA114737B9,SHA256=5B152357CFE7960C052472D736D76BF1A04CDFF20A87A16578A03F1A2A0F7EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:07.891{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FD30E18FE16FDAA6D65E587536B395,SHA256=81EEFEB8BB420C49681BF1126468ECC55E9798B4EDB1FC504314ED0A71D293FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:07.294{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5CBB72C1CDB56134B38D2C401A5C171F,SHA256=58C505EDCE7C978957C8843AC35824C2EAAF783B2708662C1E36C056F1020B6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:08.974{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC147F368B1F7EE96A36371D8C1873D,SHA256=B6A44EAA659B9603EB4F3CE3ACB8C2BFCBCFD8E9CBD84E8E66FBBFCB2FC1768B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:04.992{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50444-false10.0.1.12-8000- 10341000x8000000000000000838813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.809{8A63456F-2318-6387-5D02-000000009802}49922128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000838812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.795{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54040-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.795{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54040-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 10341000x8000000000000000838810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2318-6387-5D02-000000009802}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2318-6387-5D02-000000009802}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2318-6387-5D02-000000009802}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.540{8A63456F-2318-6387-5D02-000000009802}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:09.965{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3DF298C3273DBEE0E642822AFB725C,SHA256=A2CE94B4EC74090246848736BB5F6F78C93398AC21DC74C286F6C8EAE14FEBE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.908{8A63456F-2319-6387-5F02-000000009802}2308948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.877{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2319-6387-5F02-000000009802}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000838843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.877{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2319-6387-5F02-000000009802}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000838842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.877{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2319-6387-5F02-000000009802}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000838841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2319-6387-5F02-000000009802}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2319-6387-5F02-000000009802}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2319-6387-5F02-000000009802}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.705{8A63456F-2319-6387-5F02-000000009802}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000838828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.240{8A63456F-2319-6387-5E02-000000009802}6201160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2319-6387-5E02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2319-6387-5E02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2319-6387-5E02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.053{8A63456F-2319-6387-5E02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.037{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1C751D89D5710E7B536A7651EA652B,SHA256=2E5C3C57CD3C868EFDC291319B2882172FB81BE03BC50C5D16B7ECC2C4121B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:10.293{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA592E4C8B38F4BDA16639BAFA4DD07,SHA256=438E2AD710D611115265A6C55F5E20B04EADCC053A6556CD68EF96C3B6C2B472,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.870{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-231B-6387-6002-000000009802}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.869{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-231B-6387-6002-000000009802}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-231B-6387-6002-000000009802}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.867{8A63456F-231B-6387-6002-000000009802}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.443{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1FAD91BC65CDC655D5AE23F79150CDF,SHA256=5AB4E0EB8B5290A0A49A7A5386CA307806E448EE986C039774C6B0C83350BAFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:11.067{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C4AB5C0EEA225037576D7A78B7C20C,SHA256=8372CDD8A819B26A3C85DB64B28441F116F7081CFBED36485BDA204250F64CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:11.003{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-060MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:12.946{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BE17A51A936B3F18BC8C92011269EAD,SHA256=854EAEF2F4B7F70605582EA40649CFFEBD4C2DED829EB6A9F5D37805B798E3E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:10.559{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54041-false10.0.1.12-8000- 23542300x8000000000000000838861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:12.519{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D82BF91DD1EA656CAFE350216F5F22,SHA256=5CA0250D885B90D10974A56AD6C9B8C5A1B1E18C87794891616BAA725D2028B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:12.022{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9EB66FC41AE6BD12CF5BC50A2673E0,SHA256=EEAE33DF2F419190E7308BFF885DCCE7A706BE0000B64B7BAEB9E5F3E8D4FB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:12.016{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-061MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:13.617{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03421D9EA4A79799F18A683536AAA2ED,SHA256=B12CC5965AB5BB399AA4EA510F997019298E9EEB481EA036C00DE963C144BFA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:13.122{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462EE512A86D50371F623C1450260221,SHA256=8A2732AAA08EFDF9678A692278A5999986E112D3F409EDAEC40E4158389A90AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:09.992{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50445-false10.0.1.12-8000- 23542300x8000000000000000838865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:14.692{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BD09E7C135B4ECDF912B4984F05B2F,SHA256=06AF5A197F1D368338F939AFC7AAB134BC116761A478B1B195AD9B5FB008D532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:14.099{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DB1DD0EDE2FA08F9EC9EDD0F966043,SHA256=40177A5E1AF0F510F4F1EE50635F364C15539A2A8E4AE3E5F3009780E8ECFDCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:15.775{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D85A7FCDE9C8A6CBBDB6F65BDD30B7,SHA256=0A68ECF6448B5AFB02B0108DD8C62A7331ABC1C671B1E8521B2B62C62C5685D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:15.164{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C40ED6CA78C7BC7E2079C10A017271,SHA256=BA10A784D03422E26AD96FF432DF4CA982BE1D9CDDA1F3501D628F285C2E2152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:16.859{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAE8297457BE3D09759A864E34131DE,SHA256=4E49DC130128A80D86A8F11745B01A8F1D9ECA5CD0BB2281C437706D1D9B7E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:16.235{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C45DA05852C0418C7AF514ECE20CF1D,SHA256=D4056D710DD904F34374673FD3CCC35836F3ECFE4D7C2449240EF81E702A741F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:17.932{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E39EEF69A27C2CDD4CD2EAD7ED5CA5,SHA256=B79C3122206202E292699DF59471A9797A9D67274824B03B3DEB7151A5C91DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:17.334{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5894B9DDAB682B765CF37389A1AE39E5,SHA256=F09416C57ACDBCCB679C61B5FC8E61A7231B4FBCEE7689579126E238B21EB416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:18.415{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F6ADD96137F5D3A601F17497D02D01,SHA256=A9B4093ADA981402F39010595EE743EF9BA1A37FA71DE6E1209FD8D3018574A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.887{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.392{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.383{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.367{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.362{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.320{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.315{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.306{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.297{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.287{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.283{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.279{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.276{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.237{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.226{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.201{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.190{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.178{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.164{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.155{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.148{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.141{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.133{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.123{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.068{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.062{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 354300x8000000000000000838869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:15.641{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54042-false10.0.1.12-8000- 23542300x8000000000000000392445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:19.507{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22E791734E7D0280667BB872EC0A929,SHA256=65E41251AD25B32AA1A77C775BBB3CBE256EBE17C5D710D3919B8C379B2517A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:19.198{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8085DF174B2D31BE1C835416E84A40DF,SHA256=217F6B8D6C946767E33FC877780C567B8F54374B3E9FEE7D60665117C6EADE37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:16.014{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50446-false10.0.1.12-8000- 23542300x8000000000000000392446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:20.590{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBCB4C8F9CE820213DDA61BD51ECCA2,SHA256=8EB890D3B7BDDE50892447344B052D8403453872C7694A259B34A39ECBEEFEB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:20.931{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:20.930{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 23542300x8000000000000000838897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:20.459{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863371C2445253C3D5D6F3384A247CEB,SHA256=0224C34D02D1C1DC34C165661D3B611AD6F2C7A82412950BC4975D28B16D87C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:21.910{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=977A0D2BD7BC36B631E6E714CBA59DDA,SHA256=57282C01840E5D13C9EAE472B0F782F0058B0A963ED3120703BAEFD5211D34C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:21.669{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438B27C7BDA3165CCE014437CCE1B61F,SHA256=769AE41696A30D9A79A3C06730C55132D823C3A65E4B3B00B5F4CB846CBF6138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.546{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F171C364D440687A17D7042775311F64,SHA256=A024EBCC4E1E53D960FBB61455885E03CA2DD69DB76CAC5A900E54A4FB4E8629,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.452{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.450{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.445{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.443{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.443{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.440{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.440{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 23542300x8000000000000000392449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:22.740{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0E75D07124335D30837F3C269A75E5,SHA256=B646F2D288D09E0B5A7585E07A1B8C6423A061EC3D9B9260E444B4BE050A54DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:22.631{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473DE7629DFCEC630725E4A34E34027A,SHA256=65E0F4630BA5F0AF3B6CC1EC316FE5453FA9530A3924824C75216E7D2524EFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.812{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E707F70CFD966D195DD229F9F28BD112,SHA256=862450B18CE6E213A23A01A9110E4DC0E5A21175B4FC055E34E32887D7021C4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.767{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.764{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.761{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.759{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.754{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.750{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.749{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.747{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.743{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 354300x8000000000000000838910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.658{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54043-false10.0.1.12-8000- 23542300x8000000000000000838909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:23.706{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802682AE5364B7D0588EBC6375A3E1BB,SHA256=7B69A2D9CF1979F96EA75133AA14B80E922CF10CFB862543CD119244C713D9A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.739{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.738{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.733{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.730{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.723{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.716{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.713{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.692{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.674{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.658{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.644{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.627{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.576{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.562{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.549{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.530{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.519{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.502{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.482{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.479{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x8000000000000000838911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:24.795{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78DCF68E291B0C62E4A91D7F843B0BE,SHA256=0773D71A1FF06D84E07315F292CC55F064E712CBA84EB1E49C025F344067A8B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:24.790{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442AEADDE8CC2CC2821C3007C72D25F3,SHA256=66C1ECEB75788516790C84FDEA3BBD5BF64C08DCE0717184EBE79341B18CBDCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:25.870{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB9AD758FEB0089BB3F43205A4AAE20,SHA256=1F2267CD178BC8F36347BD908A8E1D86DBE6D0392BBC730CD6C7DBCCA1D86CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:25.873{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65D15F33F44A4A6A62D1FC4B71ADA85,SHA256=4F9EBECD29C47BD1039DB7FCE75E14F5D6BDC025FB0645057668FBF73B31D53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:25.380{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-060MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:26.963{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6493C9CD657F7884FB7AD7C663D8F604,SHA256=67490671C59C5FC5C7CBC6240A5D8C653105073182A0274AE3B334038C87A171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:26.943{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A6076BEA6502C8E58598B0ED5BF070,SHA256=DB3DC625576B9A937457260782874FFDF9E0431D51DF3D86C51B9BDB8FA4DF3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:26.386{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-061MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:21.854{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50447-false10.0.1.12-8000- 23542300x8000000000000000838916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:28.016{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C9BBF13FA9EBB0641727DF28E3F61A,SHA256=4D7D0CAE1FFDDF9CF1B705B9EE5139871F8E1C07929D3084EA5AD4B63AC95719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:28.051{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C0C9CBE32DAFECD0C74F4F9CD232F3,SHA256=09284D976F16CD86D9174212DAC1FFFB3F492E0B53272E67BB1B820B38C2DAD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:29.138{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD18DC6C650FD18B7DC419C59527E533,SHA256=8163ED32CF43F030267C0A8D3B987DDEBC8E475C1A350D5347518A5F086BC0E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:29.081{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646687D5512DCD4C29828C43E551D88C,SHA256=881DEA4473BB77219714EA8B56B4BDAAA02EE8109DA864F79AAD9C92B5F14577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:30.231{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBE5FB2D91ADE3506B605EA9EE82DD3,SHA256=D21D24EDE281E5A2D87F8B08E93BE9186B6CB68814061666AC2E4484EF09D7A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:30.160{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5519E0171FBA90A7C97BA45DCD6415,SHA256=91CDDB6FAE41903343CB7012C546AB3E59325627199425B3A0D0C3D58B329661,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:27.501{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54044-false10.0.1.12-8000- 23542300x8000000000000000392488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:31.317{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E185281DD746355C5DE030078892991A,SHA256=CB5C739B52C21B642A2C07447DA8FF2DC31788BA151476D09EE505E1CEAC9773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:31.138{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F8924DDA54275727D5683320106D8B,SHA256=CBC29A20564D467B3B0FFBC4C86E69B2AB87C6F701BD0558886ACFFD7FEED464,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:27.880{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50448-false10.0.1.12-8000- 23542300x8000000000000000392489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:32.401{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30C4786AE09BD7B6307D6916DD77E2E,SHA256=129C2CB9C856493C6FFC64041209F747EFD4754C70A9AA74F7C41F91589472C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:32.198{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCB86391BAD79D01443B23DA4DE061C,SHA256=97CAF8B53411CF0B074507E500D672108276C149550A16876EB2BE97C7F65098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:33.475{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8032967D9BA8C78A40C08C90531F4B72,SHA256=EBD590A3AB8D1883A403E53D03598D19EB85C34465EDF86D0083EC11ABE003E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:33.285{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3CEF59EE778D01ED39739DD256B8A2,SHA256=57D55A73A3F4E55356A2134173112C07D25B4C6A2ACB1ECAD574A3A75FFBE187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:34.560{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D126E245D991D3D2A860BA9129F6CC,SHA256=272227A1DCCD2A058F067E8FE1327A298B59736F91DB24078575A7F98A44E406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:34.365{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA49FB7F85DC8D04FA2B7CDEDD2CEF9,SHA256=C894C9A71C28F20FBF0AAE92E51ACF9504EA705A890D1F1E49E81CFE06F64ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:35.639{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F2A2AAFBE0CC14C92971FA6BF62C5C,SHA256=B7189996E6814AA492917C54E5266F734C7F75A294EBDA0BE9DC697674C993E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:35.446{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A69E98EF70C8AB02DD66DD07F050B57,SHA256=038549528ADDDFC80E92FF0ACD075704D171D77364FF95D30184D7227EC3927D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:33.511{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54045-false10.0.1.12-8000- 23542300x8000000000000000392494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:36.722{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB193C44625860DF1B4025EEACCFDE0D,SHA256=3E5E8A6CBBA42D408958A8389F0675D1B1988197900B7C72892AB6C80D2B6350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:36.528{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FC7EDC41BB18A057FF4D9A7B719B8D,SHA256=032365B7398F6F6156717DC9C4302545A4D91BA02FE2863674A57F84459E7F13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:32.975{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50449-false10.0.1.12-8000- 23542300x8000000000000000392496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:37.801{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B04FE1A25322C1B55F7A268072CBB0D,SHA256=FF7BB255A7967514248CACEC2754B969CD36496BB5637A78DA67B22CCA0C9856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:37.611{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023B4A25A44E393D9AF04307FCA8F87D,SHA256=FC66AF67692EA98C61C71E6F2C972206B2D8FB266CBBDDED60A98D2C02E6EA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:37.138{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F2173FABF67F0F66665DF64640D6551A,SHA256=6F140F4225D3513871C8A4A5D8CD87B6CC0F7535BF620755A4483AAC61BD305B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:37.492{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=971BDC1A2C39F9D3D4622D9F5C423972,SHA256=8AC07F4DD1069AB854F6471D9C28E40476475ECEAF0F15D394571BE9C934D35C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:38.875{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7511BD41EFC78B318CDFB407D8A083,SHA256=5A097B9BCB37790057C4F1B7946096849C015E2C56E397C06264198E1CAE348C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.681{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000838955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.656{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE82B92B70BD2C96CA7F4598374CAC51,SHA256=2E8630411E9D08077E3FC1FBDAB902DEF3B7A9869D35459DE5A9638D81D44028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.306{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5868ED640E0FECE794C8166F441F1E95,SHA256=D40CB41BDDD7753844790AA56A7F268B5250E1D765781C1C64E78335A12F49AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.269{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.266{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.259{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.258{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.240{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.238{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.236{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.231{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.225{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.222{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.220{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.218{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.194{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.189{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.176{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.171{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.165{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.159{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.152{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.146{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.131{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.122{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.111{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.054{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.050{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000838957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:39.733{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89FC18D707A57E7DEE75C3ACCE44326,SHA256=F915C4F7BAC4A4BE38D78DA91633CBE7E205D34FAE597AEC2CD09D39D8DB07D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:40.802{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD38821DF003E30D88F2F6184CF8771,SHA256=B958DC1CFEBC2B26F773A771BEB313AC1FCB23EE482D3031C89ADB1E2F946F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:40.061{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0CF7DBF76C461CCDCD1D5EF99A6BA30,SHA256=D8D574D1D5BB1AFBAFA36BA426AD4F944388F8CDB7A71EAEE78C4A67DD3ABF0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:40.727{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:40.726{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000838969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.879{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC70A96191A886AEBC76E7FBC1812344,SHA256=70F71BE98FFAB8CA9DF3D0424F2722C97151C82AF3CA43829DD13453809308D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:38.803{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50450-false10.0.1.12-8000- 23542300x8000000000000000392499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:41.132{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0ACE0ED966284E93A693677D65A6F8B,SHA256=92F9CBAEC10B2F3211FD14E61192DAF0198ADA599B31130386BCC8EBC3DA7265,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:39.522{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54046-false10.0.1.12-8000- 10341000x8000000000000000838967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.251{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.248{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.246{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.243{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.242{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.241{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.241{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000838970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:42.962{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018EE3AC7AAD7E7BD3119500FF5CA611,SHA256=86A125DDE8C84C5DC09BCE958C07F23D8829F46F8F174E7DEC385A199161B6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:42.219{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC1B1B34A423EEC92ED8D73503E5CBA,SHA256=F1697B464DEFCF3B944B6722B3C33CA347874523E065075F226A601FF546BD98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.670{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.667{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.664{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.662{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.660{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.658{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.657{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.654{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.652{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.645{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.643{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.636{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.630{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.619{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.612{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.610{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.596{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.589{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.579{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.571{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.565{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.543{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.537{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.532{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.525{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.519{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.512{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.499{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.495{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 23542300x8000000000000000392502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.302{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F714B65FD489CEEA96FB8ACBFCFF87E,SHA256=3F3AF08B27DAFC3E8EEE84927F115E35AAE743A2BDCC8043E9C895365D165022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:44.415{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8763B3B3C1E2A2742346D376220C961,SHA256=4B841499B764F314B37186C974C3A274EAC1B5B29BA4C21798F38541B5858898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:44.050{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8829DBF7C8A211EDD85AAFBB3B842A18,SHA256=3B6B910B52369CCB0DEE8EF372AFD16457D8AD47835D76D6E9DAB83716B97C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:45.468{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091CDCA54D3E82E2A2379B53477A9063,SHA256=B7BBCEDB410E199C7ABD0812522E2C3DA14EA4E45C94163B4E6F8F484ABE9682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:45.130{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097381643432615D5125C86530352DFB,SHA256=9A918F9F1EE87DEF02F6C3683E16597BEAEB19BAB7FEB709B68931058DEE8F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:46.537{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7695C02D7CD39FA6AFFECD697FF66CD9,SHA256=03EE9DF161AF7C414D68A53DF32D6EE56E106ED17DA7F5845B82AAD91EB9E25D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:44.529{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54047-false10.0.1.12-8000- 23542300x8000000000000000838973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:46.215{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB755F19A8B698A10E700F07A66C733,SHA256=4723D2FC5C32E1045B5F1FEE4024B64EB5DCB70F81E57DEE38E455CCB0208269,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.953{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50451-false10.0.1.12-8000- 10341000x8000000000000000392537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:46.227{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:46.227{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:46.226{E56ECBBF-146E-6387-0B00-000000009902}6441464C:\Windows\system32\lsass.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:46.212{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:47.620{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0AD078144EF5C6D4454235517E91A6,SHA256=3558D2831E5F53DAE4CD1F89251C228A5FE837FE168774C09C0B171457A23DD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:47.301{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3144884F99A523F51BEF30A142C6DEE7,SHA256=713EE449962A0EA846F0601B7306DDEE8661E72738F1C5AB6701D816A8844E40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:47.219{E56ECBBF-146F-6387-0D00-000000009902}8001736C:\Windows\system32\svchost.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:48.687{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD339FF67761BF07BE8B09C0384890D,SHA256=5F3C788FF11BEB9E2D0A0CE0FB893D6F701DFFB01FB3F29EDCC38BAEE0C712D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:48.386{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE598200FF89484071F6C35B97CAFB6,SHA256=047C01C20406DB6CEC5E674CD44749F2FDDB807E5802C6596BC5F79E468C2A29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2341-6387-5C02-000000009902}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-2341-6387-5C02-000000009902}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2341-6387-5C02-000000009902}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.914{E56ECBBF-2341-6387-5C02-000000009902}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.772{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C65297B38B13FF3C7E226BF1A4D523,SHA256=C902633390E6FCBF98BFC8AE8A3B401D2352ECA67B9C3846DF36CABCEA93A57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:49.474{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB2E409955022598D51745E340D426D,SHA256=76443AC88B8CF9E12C954A937114E1EE6C9031A4A4398B3ACA4844A78525451D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.600{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:50.564{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24EA5EBC87941FBDDD4F337638991EC3,SHA256=3796F0CC14FC47FD72EC3A341D1F024B2AFF4B127F4D4ECEA37008D9839A9EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.638{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2A3D9FDF47DFCE1E96721C802CF2617D,SHA256=775367FC659172CDA5836F6C3D608B19406B9C3AC8A10A337D7600499BED97ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2342-6387-5D02-000000009902}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-2342-6387-5D02-000000009902}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2342-6387-5D02-000000009902}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.599{E56ECBBF-2342-6387-5D02-000000009902}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000392558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.079{E56ECBBF-2341-6387-5C02-000000009902}26081640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:51.748{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407C2F5BC6CF12A28EBE661B00F1DF53,SHA256=91AD73BF282C242B39E599ED269D2A1B47A3981747C9AFAD7EB8822B9ACA4E33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:48.343{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50452-false10.0.1.12-8089- 10341000x8000000000000000392590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.598{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2343-6387-5E02-000000009902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.598{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2343-6387-5E02-000000009902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.598{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2343-6387-5E02-000000009902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2343-6387-5E02-000000009902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2343-6387-5E02-000000009902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2343-6387-5E02-000000009902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-2343-6387-5E02-000000009902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.180{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4796BF1FD5B5B00FE2578C72C6A0F3E0,SHA256=A5D89248EB3BE2DBF5E0C73C78906E0518DBA42D16D300EF76135F02ED538332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.109{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423FED269E0957498E7FA714F5206E5B,SHA256=3305B2E25896380E3A04B6B9F0FEF77FFC4D66BBA63D8F12926BE774BDE5F177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:52.843{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:52.843{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF5D73B26A2F325C86AC0C86CC26DF2,SHA256=8BDF71B81B367C5D9A66A840A716488551184A84FA4874B6F926B3C053E882FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:50.544{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54048-false10.0.1.12-8000- 354300x8000000000000000392594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.906{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50453-false10.0.1.12-8000- 23542300x8000000000000000392593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:52.161{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF26DA4B02455E9E7FC8499EB553430,SHA256=20B7C26329F3ADFC67C5B684F3AECFBDEBFD6F436E2F0C30878C791C5E94DCE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:52.036{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E7937D111424D5D86C1D9E12B34EF911,SHA256=59136E25232F309EBE0848483A9E7960545456E105B5FEAAAB9F764C81E22ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:53.917{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99E48D81BD0D5B06D3BC5666A9D8B2C,SHA256=0FD92E19B6FDD564F921E6A9D502C239CDFF01745EA596DBF444A01882BA5D5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.875{E56ECBBF-2345-6387-5F02-000000009902}36882996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2345-6387-5F02-000000009902}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2345-6387-5F02-000000009902}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2345-6387-5F02-000000009902}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.719{E56ECBBF-2345-6387-5F02-000000009902}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.224{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B702EC174E88A9A204E936D177E88E8,SHA256=9E588AB08AF2DE5353BD183C75EAFC71CD17CDD92FA7FCA8584DD96E481709C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:54.996{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB55A2FF02823F6F608A2C8BB3439CE,SHA256=BFA11CBD1CD9173F29C3F3BC04829A629BD14B6A8977052608D119D9E7320A05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2346-6387-6102-000000009902}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2346-6387-6102-000000009902}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2346-6387-6102-000000009902}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.994{E56ECBBF-2346-6387-6102-000000009902}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000392624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.557{E56ECBBF-2346-6387-6002-000000009902}25121912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2346-6387-6002-000000009902}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2346-6387-6002-000000009902}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2346-6387-6002-000000009902}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.387{E56ECBBF-2346-6387-6002-000000009902}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.322{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CADDE4F96D7FE5ACC7F83A21DD23D68,SHA256=C57F447C2653DFC5C4CBC17B3E2A7DA61FCE7B488D2E567D402C02226B543185,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:52.272{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54049-false10.0.1.12-8089- 10341000x8000000000000000392652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2347-6387-6202-000000009902}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2347-6387-6202-000000009902}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2347-6387-6202-000000009902}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.975{E56ECBBF-2347-6387-6202-000000009902}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.628{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE8BAEC527A1D834844EE43DCED1377,SHA256=335B6C4B44CF5CF0B480A5751DE04A1E212E6303ED036488807C159D3C73618D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.128{E56ECBBF-2346-6387-6102-000000009902}8522400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:56.725{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B53326871F415CB950EAA997ECBFF0,SHA256=DF672AD74F60DFF07109B41FD1963CCD59BFB4154E675C343EDBD3DD4E75E986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:56.090{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C611E6818198C6C00FC8D81776BFAB74,SHA256=2F5BDF0F8B54F89340F6250D71BBB98A605CA146D6C48BDBF2F8A64A6C3BF3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:57.807{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66169B5116AC74CAEF655E61705B5B98,SHA256=F2BFC8BD72C94B4C906634FC521DFD823D178508809BA69D833A4866C47BCE99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:55.567{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54050-false10.0.1.12-8000- 23542300x8000000000000000838987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:57.179{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21515BA7091FBAE998B918A80C3D4605,SHA256=18FFFBDF64DACBD9D7ABBF9782C40C16D6F497C6583D3153753D3CD2BDC9F5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:58.891{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF4BE63F57E8481601C44D53EBA6AF1,SHA256=BEA5C0FCF46A6F1FCCE460401CA84A356DF1BB1F4D3CA1E8B5C7BEFF04168F75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.898{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.384{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.378{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.367{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.364{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.340{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.336{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.333{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.328{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.317{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.310{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.305{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.303{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.267{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.256{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000839000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.255{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CDF8C4A04804086358FCB53FF473A2,SHA256=227BA4A9C241632BF668D1D2D29463A77CE9B4CFD14883A5571576643DE02987,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.234{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.223{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.210{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.191{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.184{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 354300x8000000000000000392655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.920{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50454-false10.0.1.12-8000- 10341000x8000000000000000838994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.175{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.161{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.145{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.131{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.057{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.054{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000392657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:59.996{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA42CAB214BA86859ED8D856F3430E24,SHA256=FEE28ACD110337F122A4097BEA6B7A7533EC2F5762D089F159BDD4EA619C1B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:59.291{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CA367F2A77E76D1C037A78042EBEE1,SHA256=4894E1B8A2BFA60220C6BEDEBE20EDE442B1CCE75A6B7E25F7C6D332D782D233,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:00.930{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:00.929{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000839017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:00.359{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0CEE7521EB8BD4071EC68AB5340B72,SHA256=A521E89166D5A5D285E82E2BB9D93E2022CCED7CD0136E22464BB7C35CBFE4D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.849{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.849{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.849{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.835{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3100-000000009802}2952C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.459{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.457{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.455{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.453{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.452{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.450{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000839021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.447{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23689F28C41B23CE614A0BA1E37BC065,SHA256=28C018EA243DA244808160EDB72B8EB4D3BFDD2CE11C0878266F306A3DBCC2FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.447{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000392658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:01.076{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9673C041D2416D776D1339242343407,SHA256=A046E7A960B1AC74426025B5223C220B4816E82BCA48C35FA770BC6656F0EA75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:02.525{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC6BFC96ABCE1F3358539C214241310,SHA256=3195C6ECBB7C0B46CEFFEB73D78A2CC8FFDA671CEF7265504FB76298896DB728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:02.169{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0ADED85DE6075B022D470B224D9F64,SHA256=02EE835FC91C2D4F8452EBE374602CA09A51D8DBA6705C2B5753E8390A34E9D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.517{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54051-false10.0.1.12-8000- 23542300x8000000000000000839033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:03.627{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797BC5E4C606805EF4F4E85D6E9E84F4,SHA256=C1B2A409EEDF59540DA53499478CAF55F38811826B253A7F88EADEA36819F239,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.631{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.627{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.624{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.622{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.621{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.618{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.615{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.613{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.611{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.607{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.605{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.600{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.597{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.590{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.582{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.580{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.567{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.561{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.555{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.547{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.540{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.517{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.511{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.506{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.497{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.491{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.484{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.477{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.473{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 23542300x8000000000000000392660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.356{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7AB70DD12179AC45E5F14213DE80B2,SHA256=0A64790685C119F5B4FE48BC389B04420FD09E1BFFC61360EB284C43061D0D62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2350-6387-6102-000000009802}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2350-6387-6102-000000009802}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.995{8A63456F-2350-6387-6102-000000009802}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.725{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615A155186DB74E6F8EF5A18E4107B71,SHA256=71D0E90633D097878440F45E08F0C2ECD59F8F43FFF7B0B200BF512A91485A08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:01.957{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50455-false10.0.1.12-8000- 23542300x8000000000000000392690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:04.729{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607705C461BD9C901858817DF8FB7767,SHA256=D1C9EA28C9DAED919D54962453E864223FC1E5C026433D3FC84E46C2177BF117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:05.775{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F46A710E521F91A51D3F3238A4F3AC,SHA256=BAFCACF94BB0CA1711AAA4B354CD23C729993B046D99A9F213E51AE46FD8567C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.701{8A63456F-2351-6387-6202-000000009802}47003872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2351-6387-6202-000000009802}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2351-6387-6202-000000009802}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2351-6387-6202-000000009802}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.495{8A63456F-2351-6387-6202-000000009802}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000839048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2350-6387-6102-000000009802}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:06.856{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BE9ED061715139438ADF563E0D0B1F,SHA256=54592E83E4065467C378A18A1D7DD7E83DA6CCFFE0D45AFA4A8686844EF36D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.905{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C064F436C85244D94680E6F770DE32F3,SHA256=130946943F53AE71BEB38B4419C770F78EA6E97F76DE5F42983892695FCB13B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2352-6387-6302-000000009802}1544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000839068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50B2537F83921FA7E1E680F6AF0A0B4C,SHA256=1C7EF62C7E623E76574FFCB66744175FC797D8479CAE83733AE27A39B480A65B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2352-6387-6302-000000009802}1544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000839066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=350444B61401F32E08F3BF2006EB2D00,SHA256=491F4278F15D8568DB342CE46E10B79B24FBBDD28FEE27B213B1C40A787E400A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2352-6387-6302-000000009802}1544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.119{8A63456F-2352-6387-6302-000000009802}1544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1E24C4883DD50F5C87DBACDF67DFCA02,SHA256=EC7EAE093FB2FD55A5A4A6D71F6120985C563B24D2F8F8337823D4A0DFE7B2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:07.940{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EE627DBD5C670BFC5DD6C73C8DBA95,SHA256=A5D957B2499837DEB6AB73DA1FB145F4600FA9108BF4725E37458EDB07DCECC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:07.198{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826A7EAD4C107BECD5B3FD73474726F2,SHA256=A8A986501C369C87D506EDE137FB09C64DBB66D81A9603E52356B5D9249ED142,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.557{8A63456F-2354-6387-6402-000000009802}2004592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2354-6387-6402-000000009802}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2354-6387-6402-000000009802}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2354-6387-6402-000000009802}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.387{8A63456F-2354-6387-6402-000000009802}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.276{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FCDC44A64217D264ADC2D4D1ECD38F,SHA256=D591FA060F547F11786B390AC93117548BBE62E826503349B28A4F114CE06B2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.796{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54052-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.796{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54052-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 10341000x8000000000000000839127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.790{8A63456F-2355-6387-6602-000000009802}3803964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000839126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.587{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85374CB8EE767AAD41AFB1B37D911D56,SHA256=71E0229006CD64274A66AB7F6B32DD02E2AF83C2466271BE8124E1E28C0BBB43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2355-6387-6602-000000009802}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2355-6387-6602-000000009802}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2355-6387-6602-000000009802}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.579{8A63456F-2355-6387-6602-000000009802}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000839112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.358{8A63456F-2355-6387-6502-000000009802}1404364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:09.006{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC4E9CE53244036534F8E27DD208665,SHA256=5C72E5F126C8C1DFA20F300BBF309A3CE07E83CF35C4ECE2FF7EF4CCD2BFEED1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2355-6387-6502-000000009802}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2355-6387-6502-000000009802}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2355-6387-6502-000000009802}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.078{8A63456F-2355-6387-6502-000000009802}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000839098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.523{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54053-false10.0.1.12-8000- 23542300x8000000000000000839128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:10.461{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=472BF58BFB0D4E5A1718BF0949AD37F5,SHA256=E2048C762D17F1B61EFDAD8F9727AE4AA72C713EA9E14462E127FFAB22E8B77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:10.089{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C357D72CAA78CD7FD944C57DAED3F369,SHA256=3A243970D040BA66911589DC26124295F16318042F544379D3BE569C3D834A4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.930{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2357-6387-6702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.930{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2357-6387-6702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.930{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2357-6387-6702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2357-6387-6702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2357-6387-6702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2357-6387-6702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.802{8A63456F-2357-6387-6702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.546{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2625A2AC149F659A2D371F0C53FD4C2,SHA256=29715CCF9A615A2D01066C2003A14A72BE5DFAD589EC472ED2AAC5DB5A7FE6C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:07.903{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50456-false10.0.1.12-8000- 23542300x8000000000000000392697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:11.189{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FD374C0EA626BB66DD00AF316424F1,SHA256=C8E6DEDC60A4890159A8ABBE441854996C866F9AB7F9A5F23FBBFC0BB11D653A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:12.944{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09FEC089814034F78D249A25E16B9E3E,SHA256=735079F5261C7E04DA40DD6810176D6F89EBE3C3D748D2C6EA0731265FCBEC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:12.623{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73B62F7D1B0A85B6233B93932FCAD20,SHA256=C8DC40880CD50767DF20A3D032BD8B29E139A3FFCAFB18C621F4E75CE109ED60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:12.534{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-061MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:12.266{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89BEFCB35AE5E391477217EF3C950E0,SHA256=032BF7280031542788BE2B551089438A30B786A85718242ECE5377A7BA507E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:13.715{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0E535E49AC0206BA03575E124F01D3,SHA256=53642B1222F9CB0C6F7F05939B7782DA6A54590C33E082D36482C0EAFCF64631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:13.534{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-062MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:13.350{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB1BDDDF953828880CF6B8FF633152C,SHA256=AC5B2CD04A6633F0046E0EE0032B9B883F06252A81A6F9A56434059344E6DD73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:14.790{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=031A833A4E0A0FE7D26F62D722ED1559,SHA256=2A0683B4A8792CBD936D20F83375DFFA19D247187778DDFCD1EF100A4FB11375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:14.413{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4D9006CC57B2ACED63199E7DA3E8E6,SHA256=AA8CD02F43B135B41F9556C3F4EBCF8060F547D623FE42FB229D20FFAC1E193D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.574{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54054-false10.0.1.12-8000- 23542300x8000000000000000839151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:15.853{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC62582439E14493CFE51566C9D23593,SHA256=425A697BE3DC7C91CD0F42BA63A271160F3C87B40A5497AF0B0C3050AFCEFD76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:15.489{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4BC28A35BBB87F285B350C4E207411,SHA256=5A7A79745EB0ED4853D2C605485045F2CB32EC9A83EA160B7503877446B8B08E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:16.944{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890FA610511AF135A868C910A2FA3371,SHA256=DDE8783B77E8A88987E4593B9E867A121AC50585FF5AC430CAB8049FC160032B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:16.561{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D9939493C177840DAFE7595F6A6073,SHA256=8BCDA684534EA4EC81BF6D1D265E4313039C5A761A077FBEC512545DD41FA530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:17.647{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BB9AC54D9F139394D16E82D665466E,SHA256=10696D65AC8D43CC8732113DBC4F74E8421A52FB91CED097DAAB12E4B7B95CA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:13.835{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50457-false10.0.1.12-8000- 23542300x8000000000000000392708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:18.859{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4D013CD89533964DF9EE5EB48DC13B,SHA256=8B8F94B42430E2528F1AFB2C61B770E3D99C24094470B5B248C660584A8AA831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.939{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.369{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.360{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.353{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.350{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.323{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.321{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.318{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.310{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.302{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.298{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.295{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.293{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.264{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.256{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.235{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.227{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.210{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.191{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.178{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.170{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.156{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.145{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.121{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.052{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 23542300x8000000000000000839154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.047{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640C7E747C94C33176E2BD4A5A69B587,SHA256=5280D93B8C721F2FB05D6F72B3D5A0C07D92F98940FC603A2583549E8E8BD773,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.046{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 23542300x8000000000000000392709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:19.938{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4EF6A17EBA0BAC3FE7BC5AACBF2783,SHA256=B2F765B1A2CEC65983C8912F25E4CD33FAB47B15A5A743266192A07E821897DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:17.499{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54055-false10.0.1.12-8000- 23542300x8000000000000000839180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:19.071{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B174AAB4B750BC9E2F9FF2F98BFD15,SHA256=B24ACAF9092822914179E6479A3B44E5F95AC536695D749436CFB01FD024FB8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:20.982{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:20.980{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 23542300x8000000000000000839182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:20.153{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A333EE16CCFFE14A2E59C2F231018B3,SHA256=7EDA91C29CF0C8C28BAB35AD5D986010868F8588D6F00EC568C11A0FFA266BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.556{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F543A50274C2A4138A1D7EC188CE1D69,SHA256=9DFCFD93A01E4316CAF825E0A4EAB7CFDE9C6C29E97ABADE7D2ACD0B698ECC90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.499{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.496{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.493{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.491{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.490{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.487{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.486{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 23542300x8000000000000000839185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.235{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235C347ADF849F369B3E1E519B5FDA79,SHA256=D6A89F2A8351AAD6B44C510F7560E1DF83941EA11E282B2C5CE9530D2C31927E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:18.940{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50458-false10.0.1.12-8000- 23542300x8000000000000000392710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:21.012{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85D1D37AF268EB7C05C292CC62BFEC1,SHA256=D791FAAD1591E4DEF5A511A6D920B9C23CE185048B414009E47C3E0227B88B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:22.311{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D605B7798BFA0EB38F61FA7B6F175A1C,SHA256=21BBBB793088D4F456DB97F77BD9CDEADCCA29739104E442E049EFCF69E6187E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:22.207{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C8DF058999C46A89B6281431404E7A3F,SHA256=9DDCDE70F99536E93791A290990D7D5B2D0A5C73B99119FB5C64111009192EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:22.082{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3A0D47303AA4F851369E70EB6021D0,SHA256=8B5A08A4EB9D6E13E6234CB708B364254A678A085638A83BBB07B928F057ED14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:23.413{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E073AA94B75F494278FC4C7E7EC227F4,SHA256=807FB7D7D59D58A2394F8DF1DD3FF22EBA1CD6239E4891D628B4ECB1D3ACE33D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.644{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.642{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.637{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.635{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.634{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.631{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.630{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.629{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.627{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.624{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.623{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.616{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.613{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.605{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.597{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.594{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.582{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.576{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.567{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.560{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.553{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.526{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.518{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.513{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.497{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.487{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.480{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.472{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.469{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 23542300x8000000000000000392714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.163{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758FB2B3C929CB31D11A82F07349083E,SHA256=B9118580603E3615D4175AD8C527427D426EB6B5099D90F02FB4950BA10DA042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:24.483{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CEF11516652E1297C96E09E43D4279,SHA256=A2959C761879A37ED399FA76DCEB38027D2D2E86563BF606E926DB766D96F20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:24.369{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66A41170406E66AE8DBFEBBFBD870CE,SHA256=C5975031DE313D99EF39B8FB770C614B05744CD09B612993F7B7E5B7D5DAF49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:25.569{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5955B2CB6E8F9276A9E48202C41A984E,SHA256=0BD6FC79A15FDEFB4D6C87546D9D81BEC2C994FC986CDC0744E02D76D3BBDCB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:23.523{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54056-false10.0.1.12-8000- 23542300x8000000000000000392745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:25.424{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA2EDF44FD13850C2BB3C34EE2695B3,SHA256=044A8FA8DBAD400D30B21EE245D548553917CC831140965E5491EB12AACA319A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:26.905{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-061MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:26.657{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24797376125D1D1EC0B4FFC89F462B89,SHA256=7093F265630ED0B43B2CE4A859EE6BABCF1A1D165B8494EED983C87097AEF72D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:26.499{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4501D05C1EAFC5DB04700ABC8104C9,SHA256=CAE9E5B2208DCBA0A21294847EC4315C6A7D4F0AD377C220DF2AAB9FA3C0DDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:27.913{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-062MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:27.724{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA0DD37611055CA1E5BA455DCA7C51F,SHA256=257AA370E2301955E6F23AB0256D7E99DAA0FF8F63D7F88028ADD9C12A7102EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:27.584{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189D71BE588323CF5A0901293726A713,SHA256=93CE2D30742A14D33120F2836FAF66D6D39AF8108DB8DF63E884F04992AE0497,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:24.844{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50459-false10.0.1.12-8000- 23542300x8000000000000000839203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:28.805{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC97B9A171F4DD70DBA552FE984A53A,SHA256=BDD3304C132FA444CC95176CA3BCAA71FCAE29C3F27F343B65D9E265B9C95EC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:28.669{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD2B2D9341E8F3086F711B00A8B487F,SHA256=ECBF15231876A92EC26308BB4E58004685EDFB1B39D7C7D58B87473EF1424933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:29.879{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E569CB9C5556C62672587EEE9C7AFE91,SHA256=444D47D811636145DFF467ECBD662A366BCA31BD3A813382A0156ABE83AC00E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:29.763{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508531713DE9CB84BC9B7099999727D8,SHA256=82C9A95C33B34B4F856117B9F13A5DBEDA60BE66AE4565F77E55E1975BCF0F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:30.955{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C02692BE9083DEDCA0B46147E4D19BA,SHA256=41465888C585B270926E909EDA70E932BB6EDE2F33CC8E09E2F579CD73678124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:30.848{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F89DD5FD5BADF177079490AB17618F7,SHA256=8BE4810401B1847EDF67E38647A4D43775D3A2B43C5DE0AAB58268F903015B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:31.923{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144E30A4821233CB24A5A6076D338ADB,SHA256=7D2AC64353C71698555A4BE233C9A9DD21FA9D3B389C5EA07FA5E6E8BB189EDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:29.491{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54057-false10.0.1.12-8000- 23542300x8000000000000000839207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:32.047{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA4DF5E47CB28AF71B44C683CCD5ECFB,SHA256=3C80FE174ECA504B0118B95F2215CED79BE366AE96839BCEA46FD3686710B4E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:33.149{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BBC6C4CCD70F99D38BEFCDC6B75572,SHA256=9CFED2011C9D4EB6BDEDD306B2C6DC77298581B59441A200840692AB0583F800,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:29.993{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50460-false10.0.1.12-8000- 23542300x8000000000000000392753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:33.036{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB6F92B2297308040B6C118F87E4B81,SHA256=2BADECFF04C1B2258AD1B0BE5AF49F80ADBCE111D30D44871A29027436BC9CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:34.238{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD5DFE6FE401F6962AB14E6E690A5FC,SHA256=58A341C1DE4A07AD9E4589BBBCEB5927B4E96E239C4C202285F3476C2280B22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:34.123{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58500149C769AEA13F843326C5E60A09,SHA256=0F66089F74B8B6A1AF5FC88FE98659542ED991445C270872E6198ED7AEF9E3F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:35.323{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E0F487F007C9CF6491F10BA6D0695E,SHA256=1DA7CD13235735F25A89312BF4121CF5E46B7C731B34783814D744A19649CD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:35.221{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62B4FD9C3C8AABEA9856B7BEBE643B1,SHA256=F79B2B03DD2BF25D35150C03A6A69352858E76AD2C5A3ACA84075552FA8E848B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:34.603{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54058-false10.0.1.12-8000- 23542300x8000000000000000839211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:36.387{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495EE5946C04AD5F6AEB03435DE4DD0C,SHA256=A8F73DD37D2174EA21DE8FE435FCAC4DC64C8BB42FBAA5DDD66F5644A41B869A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:36.298{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653CBFA845FEFA82C51F8D91905CADA6,SHA256=0C9A2D04229BCE2525A88760098C760F14BAD2D82E044B056B11500606A8C9AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:37.379{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC07712A76F705E660E82417952A3C6D,SHA256=C8516994B9D44F190BBB7FA2B12E2C24B406489F09C4AEEB84070709EBB25D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:37.485{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F14AEAD722A261A75F643049F305A7,SHA256=2CA3351782E1C113B831C26B3A20D12A9E0FD387BC00C2E5EBF68AE8750FDA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:37.282{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E51645EFE78AD6DA4EE484106FBD86F7,SHA256=B769806E5C003EC8850DC4D9480FD2DEE5DC92FE3D4DB174C7310BAD646B3009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:37.145{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=95CD2948953C9CF516DF47D2B5EBA54E,SHA256=4493B7BFB98BBC3B8E3119C0FDA22DBB5CB8AF8CC9527CF4D306DD1B96BDF897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:38.469{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B84766A499BFE2130840EF4FA1A517,SHA256=11C8AB0D2B98834A82F01792158257ACD69DB7F55414884A1420F33857639CCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.852{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.546{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA19708F9D8ACCE6934D0C00988AC644,SHA256=1757CB613CB201E23BF7B53CFC9887B68545D542C4C1C1C0D1F8B20345B3978C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.311{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.307{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=33FF87FCA9EDA12B6F1C3C4408486B96,SHA256=91BBC736279E16236FF8EB79368550A12D59366663CF918129FBA4FA91398FB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.306{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.299{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.297{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.281{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.279{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.277{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.270{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.263{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.260{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.257{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.254{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.222{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.209{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.193{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.188{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.181{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.174{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.168{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.160{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.153{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.143{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.133{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.072{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.069{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 354300x8000000000000000392762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:35.949{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50461-false10.0.1.12-8000- 23542300x8000000000000000392761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:39.554{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C4F1942C39066D49B1E2B5A4F8B846,SHA256=310D5700FB9577967975A82915BEB090A2966881A9AB26C2181C15506BD85829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:39.608{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=363CB72A52201CF6C63BD649097E37F4,SHA256=F30408BC39CD4295F75F08BED2B05A54F73C8EB1FE704A18CE3A0FBA5C5F0FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:40.640{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4565EF08906D3E794DBA746AA175F9,SHA256=E8D60FA200235E1025E9E3164C40F273537D0ACA22B388125DC859080BA4B60F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:40.873{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:40.872{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:40.680{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829B218D8F31F43650B2B0BE04E59F3A,SHA256=0964874679FC9A2E645FAB3ECA4DCD9456C1E18730E68065335FA372A3649093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:41.721{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0A2BD6EE2E8CD7D1455EAE1FC43485,SHA256=22F0D34C567394784C401810326E1B6C37586D7E821AA7D971CB97D85A61D657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.766{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19838C5DA3919A8AF0B05123115BEE42,SHA256=DC195C3B07359DA177ABE5A4D1097BAD8A210924222BA3024FBB62C3E1230A24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.403{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.400{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.397{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.395{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.394{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.392{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.391{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000392765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:42.803{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D25A2A119EE94AEC65BD4EFEAC862A,SHA256=93C4A022315B5D4EEB11CB57A6FC9677791F3E20CB573CD87C2D7BE182D33F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:42.851{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBE94E141A50186A8A197B0FBE9CC2C,SHA256=754E3D34ADD9E9DE90DE45154910B61917210DBF0A47FF13B167D9C2009E0B5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:40.592{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54059-false10.0.1.12-8000- 23542300x8000000000000000839257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:43.928{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B80DCB9B84FEFE6BEB341460536992D,SHA256=14D3DED36422BB3B5251191B7DC73390820810BE39D98159184DC5BBD7E3D792,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.658{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.656{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.654{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.652{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.651{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.648{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.647{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.646{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.644{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.640{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.638{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.633{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.630{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.624{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.618{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.616{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.603{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.595{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.587{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.576{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.567{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.544{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.537{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.531{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.523{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.516{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.508{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.498{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.493{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 354300x8000000000000000392796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:40.997{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50462-false10.0.1.12-8000- 23542300x8000000000000000392795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:44.049{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECAC1D2D853F07407B3C55842746BBE,SHA256=0131F49D68138146FCA6512B27CC83215ABF2291FB6BEB3A4E28FA5ED8465EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:45.011{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F17445D18CC8F936362D87958ABB9F2F,SHA256=E74D3222B3822B6A4C03C622D720D838BB6FCC03E89D525EBEF3300B56A4919B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:45.158{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B9E91D5C5569323A8A81A47C94F3BC,SHA256=DE6F29C4F855B90B5C9BBD4BB7CAE9C7CC7E587996D7A31E6D5CF51F5EFFCF05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:46.221{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:46.221{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:46.221{E56ECBBF-146E-6387-0B00-000000009902}6441464C:\Windows\system32\lsass.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:46.220{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3FE28A487737B636982E79129B4B30F,SHA256=636E0B762832C5E9A8E37E44684B9FB4E6CC5B16B5373ED51560816E50D9EAFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:46.206{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000839259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:46.107{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CF4FC1720341AA1AAB95E23BA09D78,SHA256=EB00B57CD7E6CA040EA1D72B7C74D6B5F3EA6A9944DB8D292DAF970133BB8B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:47.290{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B4B30AEF8CFA7934F059FF13852FF5,SHA256=B224631D97605A2368763C8A0DEFA2BA6B95CB19B94FE5E0221B8B6516A8FF20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:47.183{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A636543E7D2DBBB8BD73034A10C314,SHA256=A5BCEC9D450C471F8C73B47C27FA6445500FCD408B069781B35F691BF578B767,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000839260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:33:47.090{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9049e-0xd8b019cb) 23542300x8000000000000000392804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:48.376{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E36E382A10D8964097DA006B6E467E,SHA256=05DFD3F61B4D7A5DE47B65BB66D2DF658CB851C512A702DCDDF07826B8FA68D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:46.551{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54060-false10.0.1.12-8000- 23542300x8000000000000000839262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:48.268{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C075D5F546468CAACAB27D257865B8,SHA256=6AE99F92543DF9528C34E87449D90C4DB272BCA337B4E27E4D84EDF1E225C425,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-237D-6387-6302-000000009902}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-237D-6387-6302-000000009902}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-237D-6387-6302-000000009902}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.942{E56ECBBF-237D-6387-6302-000000009902}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.629{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.457{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951B73A491AA60DB76EA3168CD357A45,SHA256=6971911D1EDA9B7AD145AE8874A25A65215F2A52FAA3E1D67DBE69006A5C6A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:49.342{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A304EDF45056B0040987F1BE63A85DF,SHA256=DAD35E9874C10321ACDA029139B907975CB19353760E22011C2176087F2AD364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:50.425{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C335D6231A465B90FE2D6F1D0EF37F,SHA256=0EBBBB7CD26ADD7D030E8314815EF6A46EFF88755D5A42A18D23722032F2D6C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-237E-6387-6402-000000009902}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-237E-6387-6402-000000009902}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-237E-6387-6402-000000009902}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.605{E56ECBBF-237E-6387-6402-000000009902}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.542{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8A2614BB0EB48C885CF9CBD3B28535,SHA256=5FFE68121E0F8B4800FDBF0E02FBE6F304E1A0D8BCA9AB3963DAA2CDC783BE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.385{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=19272B50F4785C52735A1A3632C677DD,SHA256=2693E9A0F08C64C18CE9EBD5C7FDDBEBC331707E6E259BF5AFAF711C491EE590,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.123{E56ECBBF-237D-6387-6302-000000009902}7843136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000392820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:46.962{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50463-false10.0.1.12-8000- 23542300x8000000000000000839266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:51.505{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7497C003D438DD0FF150F09C6C8883,SHA256=3A8D14B027920769F7E570FFD8620C17C25ECF07737273C95827A297778F701A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.752{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E837C25FC8C1F4AB78706E804E6EC9C4,SHA256=3FDA72A4BB2FA68C8DA0999F9B3159914B9A4792A8D2AE882C430717FE4A42C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.423{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=512DF70D57A20EECCB7AEC30998AFD46,SHA256=6CCD4F79A6AA78F752BAB89AF16CAE01F907EC191A080739FEA8B31B18C43683,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-237F-6387-6502-000000009902}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-237F-6387-6502-000000009902}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-237F-6387-6502-000000009902}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.393{E56ECBBF-237F-6387-6502-000000009902}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000392838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:48.370{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50464-false10.0.1.12-8089- 23542300x8000000000000000392837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.035{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=290994DE80DF6B6546BCCD80C49430FE,SHA256=FC6BEF8AFCDC9A0A7D45CEDADF3D302167698E0D58F1B13288561BF60CF0E081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:52.817{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7BDADAF5AC387EF18D8AADCAE43B1D,SHA256=2AB0E88F3019F0895FDCC847ACAB9AC8ECEF3BC3645DD9F280FA06D58BFDE1B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:52.859{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:52.585{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7662B885E86452440E22BA16E679AB8A,SHA256=14054AD2D28DF097DD106DB296FB09832EE54B38A1D4BFDDB65FCF4E9815723D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.917{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCCD28F49B1379B1F91B9EC66B079CC,SHA256=D1710E18650D617D1A72D453011450EEA0D5C7A596801A9BF52E6B7A03BED901,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.885{E56ECBBF-2381-6387-6602-000000009902}14483404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000839269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:53.669{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B58542E0876A52EE4E3742C980CE5CF,SHA256=9B21DB9EFCC1F9134D5CD21B3FB5B13FCF2456A3CB3541B0A5D8509FEAE9064A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2381-6387-6602-000000009902}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-2381-6387-6602-000000009902}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2381-6387-6602-000000009902}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.730{E56ECBBF-2381-6387-6602-000000009902}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24F5C81AE301AE67881541B08AFD641,SHA256=BA8D4D0F2220BD53ECEEC79D5E25E908683EFA33FA09ABF958E8EE5E46E245FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2382-6387-6802-000000009902}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2382-6387-6802-000000009902}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2382-6387-6802-000000009902}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.910{E56ECBBF-2382-6387-6802-000000009902}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000839272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:52.539{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54062-false10.0.1.12-8000- 23542300x8000000000000000839271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:54.746{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7353C0B4457806D4A4DB23F0EEF487,SHA256=81EF97F399E7A73D5BDDA131159EE17A74C9F33630E395563C09BFB78D44739C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.627{E56ECBBF-2382-6387-6702-000000009902}2520948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2382-6387-6702-000000009902}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-2382-6387-6702-000000009902}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2382-6387-6702-000000009902}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.410{E56ECBBF-2382-6387-6702-000000009902}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000839270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:52.290{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54061-false10.0.1.12-8089- 10341000x8000000000000000392912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2383-6387-6902-000000009902}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-2383-6387-6902-000000009902}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2383-6387-6902-000000009902}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-2383-6387-6902-000000009902}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.979{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75E57F1BF2BFB62DE031E55441ACFE6,SHA256=81426BCE9EFF616AB8FF07CC7E22FF740BD9F866C9A1EA55326789AF0C855B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:55.827{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC423D6D9C87C96FF273CC932EC832AF,SHA256=6040940A1F645E8A090642E00E8B536BB29280B6FBB38749C4A77441FDBACC24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.106{E56ECBBF-2382-6387-6802-000000009902}7204044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000839274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:56.907{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D7315409D8C277DCD313A9D0482266,SHA256=3E81AF2CA2F285A7C417DA83129709814152A5FA6B3349C1A68CEC18B46BF073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:57.997{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B074466C4129DE04A94C9AD3BA21CC,SHA256=FEF0E7C7608DA922C1C2FF319FEC7B2614E664C8C1A1655A78E8D53E9AEDD193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:57.090{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=502296772CCE7B39DCE77187FDDF89EC,SHA256=74C34B0D924C25B90A2A5487B87B332831D690C1E48301CA34750E257C501DDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:52.917{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50465-false10.0.1.12-8000- 23542300x8000000000000000392913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:57.058{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED39A4F26187C309C8588B9DC498335,SHA256=E808627ADC0CD9DCB06122AF939435321A30C33DD566C4480FD6DDCFA5EF427A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:58.160{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E398C228CB16912BD6694887D06525CA,SHA256=8680999FA1198E6870029C00AAFD2BF083ACD4869AE0285397B68EE220E67972,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.887{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.468{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.463{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.456{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.453{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.436{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.434{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.432{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.427{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.417{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.403{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.399{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.396{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.370{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.364{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.338{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.322{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.317{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.308{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.290{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.282{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.270{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.262{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.248{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.111{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.098{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 23542300x8000000000000000392917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:59.235{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC7DDEC2234ACC6AA41354BE9502562,SHA256=6ED6A2DC0543C439E6565916B9D4DB3E7235792DCF9F19ECD78977B9F82E9E3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:56.685{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local138netbios-dgm 354300x8000000000000000839303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:56.685{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000839302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:59.127{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86F0453A12F020834F8D76ABD7C683D,SHA256=AC5670DFB18E176C50EA0C3EC3C1226C647E1B43D395C2497CD93570995B8840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:00.320{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7061E1EDEC480464C685F0F69122D41B,SHA256=5F3AF58F29907BC297C955DDAF73A22499ED5FC9B053B9C2421DEC80A141D357,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:00.927{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:00.926{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 354300x8000000000000000839306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:57.646{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54063-false10.0.1.12-8000- 23542300x8000000000000000839305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:00.211{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2964DD68EC66D43D93E2B44F447DB73E,SHA256=CEEDA1AC3F24C1E4703FA33085FC3752C9D53C4100932829B4A272E4F9B18983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:01.395{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB208A7F83EA7224F693050B65B08515,SHA256=DAB15B6A939B8D4C73277C7B40CFC4ECB1D5872144CC66665709BDB60F249CB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.863{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.863{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.863{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.847{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3100-000000009802}2952C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.453{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.450{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.447{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.443{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.442{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.439{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.439{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 23542300x8000000000000000839309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.281{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B066559E15BB912569AFB96A1219CBA5,SHA256=B9D15645243842EC0561E99225A84D19203AEDF95C2AEB3C64A45937F4124DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:02.476{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC4239DADF0315177DD44D3350498DF,SHA256=2CFD4B96704472E90FF239F325CEB19B7364A4418BFEB9B1D9126D9B77B2190E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:02.379{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079EE2FF9F9FE0E0D849512455C6FF38,SHA256=3DA8BBF963D4C087DC4EA8BBED3F84374B307BA813000382C8987B1B7F6D783F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:58.904{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50466-false10.0.1.12-8000- 23542300x8000000000000000839322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:03.467{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C768A1D747E3495F10B9994F40E6F0,SHA256=DC61E9D321531F278ACCD45E4C01682C123D4529C3E62F212D3D7B8B82A48450,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.647{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.644{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.642{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.640{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.639{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.636{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.633{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.630{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.627{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.623{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.622{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.614{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.611{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.604{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.595{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.593{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.579{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.573{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.563{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.555{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000392931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.552{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD94C62723663A9E35AE22917A635217,SHA256=81C30272F9639E3D242C55CAFDC2B6344881135A4559BA4C0F4D847B3591FE99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.545{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.516{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.511{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.505{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.497{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.490{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.483{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.476{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.472{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000392952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:04.632{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7358B82C5D3651778260F32316E3FEF5,SHA256=1669276248420BA3DEC6DE32FFB9CB73531DEBE60E15F4E168E6349C78F878E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:04.556{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4998DF2F62A3BE638DC77D8F78A6C03,SHA256=E96433BF8DD0E274CF15C1939A13C777D05A0546C7A93AA12683BB776384458D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.775{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-238D-6387-6902-000000009802}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.775{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-238D-6387-6902-000000009802}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.775{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-238D-6387-6902-000000009802}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 23542300x8000000000000000839352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.753{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5C192571794A29003C4B25447FCB0E36,SHA256=5A6D42153776B383809DC147B9BAA46D159996E61DECCD73C287D1D1FA41110F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-238D-6387-6902-000000009802}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-238D-6387-6902-000000009802}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-238D-6387-6902-000000009802}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.673{8A63456F-238D-6387-6902-000000009802}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.656{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E8AD0A7AE707EB2F1A54AC64533D40,SHA256=23475488D251BAC49C2D075CB3102F37083592277A0A8A2829047AD53E28799B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:05.721{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3B8405EA1BBA7F90E354E70C9B5F93,SHA256=CE5B3506557E7D6BA3CEBEBBEFE430E67FE734B08903F014CBA72BB9230CE068,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:03.580{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54064-false10.0.1.12-8000- 10341000x8000000000000000839336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-238D-6387-6802-000000009802}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-238D-6387-6802-000000009802}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-238D-6387-6802-000000009802}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-238D-6387-6802-000000009802}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:06.784{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57D23E732A90EBC71ABF64A5A7156E0,SHA256=688FE15BA8B19307E94C7797CCFF2E7E0AE46D71E9D687D0B9AA246F9247554D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.651{8A63456F-238E-6387-6A02-000000009802}30884584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-238E-6387-6A02-000000009802}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-238E-6387-6A02-000000009802}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-238E-6387-6A02-000000009802}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.345{8A63456F-238E-6387-6A02-000000009802}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.063{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79C11459BCEC58AC1A68B724E16CF7B5,SHA256=1114C2E47978E1AF1CB584378D56CD6FC17B70BCF2E76F626EC262AC26277851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:07.871{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08109614F744349E260A25DF6B11AB89,SHA256=60771FCEA74AAABF7F66E28E74C9D232AD887C5A9FCE932D114A5B9CB2D42466,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.806{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54065-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.806{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54065-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 23542300x8000000000000000839372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:07.467{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=415E08A8DAE642D3A71D0D5206B947FC,SHA256=B5E80C90ED267AEED103374E747DE22D2FB7440B64F94270ADBE6B1834CE7DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:07.233{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6883C37EC10D5C3A8EB34928EEA66B,SHA256=44F541AF69FE8C9E385B2E558900AAF25CE797E3D02F2D053031805D5E5B90C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:04.853{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50467-false10.0.1.12-8000- 23542300x8000000000000000392957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:08.953{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742390048EA8034E11F9821B9EC73E61,SHA256=3E7D4A849171EDEA9593E24234CEF70224F184C3BF298BDE18FEB60927ABA352,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.556{8A63456F-2390-6387-6B02-000000009802}43644340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2390-6387-6B02-000000009802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2390-6387-6B02-000000009802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2390-6387-6B02-000000009802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.385{8A63456F-2390-6387-6B02-000000009802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.353{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B8D4188B0FF1E625DCF574A3C7F699,SHA256=2F151F10DB4899BD4DC8952C3366C8356C022CA7BFD333DD26A69BF1EC05C25B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.821{8A63456F-2391-6387-6D02-000000009802}46724728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.818{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2391-6387-6D02-000000009802}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.818{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2391-6387-6D02-000000009802}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.818{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2391-6387-6D02-000000009802}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 23542300x8000000000000000839417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.804{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93231C901E491E0759C313F8D905052A,SHA256=7AA4871B21FBB2DA8519339F4249455A0F78655B9D956C8EF91A4F41FB96685E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2391-6387-6D02-000000009802}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2391-6387-6D02-000000009802}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2391-6387-6D02-000000009802}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.639{8A63456F-2391-6387-6D02-000000009802}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000839403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.285{8A63456F-2391-6387-6C02-000000009802}26644428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2391-6387-6C02-000000009802}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2391-6387-6C02-000000009802}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2391-6387-6C02-000000009802}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.068{8A63456F-2391-6387-6C02-000000009802}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:10.715{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=214F4C36AC7148C0657D581D7870D881,SHA256=30657BBBF5DEAA845CFD4FD640F8B5B4331944F7B30EEA0C7CDDDE741290BC20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:10.036{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071477793A51A8A63BF86AA6DF2341C6,SHA256=8453DC4870BFEF422F41D2D95FD0C60C5B0AD6C36798D8180BFB392534D39FBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.821{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2393-6387-6E02-000000009802}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.816{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.816{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2393-6387-6E02-000000009802}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2393-6387-6E02-000000009802}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-2393-6387-6E02-000000009802}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.798{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E97BBE874485503D3CA070E0A98690,SHA256=DFCB03D22605D60997F57E721481CE2860BA27BC8120DD3EBA936F58D9137829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:11.123{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F7EAE99CD864F4D99B8A32F4AE189EF,SHA256=529495090D058B9F3A39FDA809AB7E9014D6C48E11598794DDC2549804615E09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.493{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54066-false10.0.1.12-8000- 23542300x8000000000000000839439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:12.934{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71794079C65A5E97AA273882FB15732D,SHA256=5270C13A48D17B62C658EE9822AFC68735F050F2BB1205994AB2DBBB2D2F6FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:12.879{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1EE3FD118DBCC9A5141AC92AF999C1,SHA256=1872F191D86CDD4DEF6D5B1DDE88FEFB681D76C2479C36071D67057717E0E895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:12.208{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90EE43DE51F5092D0CC5AE8DC9EFF311,SHA256=75539EC4856131F113487FA9A2A3A37C37AA26232D98D07C0A479BC7A98ECAED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:13.976{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0519644B02FA5800F968FB382CF261A9,SHA256=D0698648CFB3F0BB43008BC88839907ACFB4793DD7B8ED3265A13DA1D0F3A9CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:10.855{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50468-false10.0.1.12-8000- 23542300x8000000000000000392961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:13.409{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6635419EC81BB2263D1A6D31D8374F,SHA256=F01DE184269BF2AE69EF46FC29B9FF88253BC4A4391754F21039CC0D24A38DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:14.481{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0CFB6384CAA97D1D2297C66E8D8D2A,SHA256=D0ECB8B5C825A8D7934982A215A96459AD23DD69AB88657387E40D019D79B72E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:14.051{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-062MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:15.561{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA4759F704034244F34084FA48BA068,SHA256=D0D12312839AF05E03EABBE1A2D099B7C56D1E2B8B1544390C47E65BAF8C335E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:15.048{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6906049E3B9F7A0268B70724AFBD2D3B,SHA256=7F70C4189DAB46EAC8136B62D8FBBD717F742AC5C1C9617AC193882E075E75E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:15.056{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:16.626{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEEA1215FF79EF8455F6F2A65E443A3,SHA256=EE38E0DF8F0B5E8D0433BCAC78E1C949433D382E669D4CC6DAB2AC93CEBF4A5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:14.541{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54067-false10.0.1.12-8000- 23542300x8000000000000000839442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:16.131{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6967AA8B9295669F0F6D34A97F0F56F,SHA256=EDDE913193910672B49E589F8E5BB6F913947CC84330F1AC49693233332A96C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:17.814{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBAADCC668BBF4F592C32CB19D8DB6A4,SHA256=F233D253B55DF924927EEB7C6CC60C7B6924A865D22FA822C1D5160D00C30812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:17.209{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECC10AC0138343D5C25FF2389E2FD7D,SHA256=9C0D80AA6B145087C06E8BD74EE8892CDC430A92A46F2754BFEA4D1E9511FB30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:18.911{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34ED06286F4A3C0D8C37CFBED105B680,SHA256=0A08CF66EED70C126718FEA3B2046A4D3914B8DE2E32343593CA9119C8DE87FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.684{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.316{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.312{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.301{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.297{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 23542300x8000000000000000839466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.278{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE24762BB22E1591F226B289C1D9E899,SHA256=1882CB5BC6D223CA3E3B58AFDC9CDA5B2FA73A85571B75BD23A0DF673E70AB01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.270{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.265{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.262{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.256{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.243{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.238{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.235{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.233{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.205{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.197{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.185{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.179{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.173{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.163{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.153{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.145{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.136{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.127{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.121{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.071{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.055{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 23542300x8000000000000000392971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:19.984{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05CE4F515FBADBB5C3BF7496BD23EE95,SHA256=4FD6EF91E037A3DE5F8BC781284E468834CC1FEA98DCCACC66A2B7E3A6CAFE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:19.312{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA29E4CFF146727578A08B273D5437B,SHA256=7EF8DDD6EAFC04D01EF9CC206E48F39EBA140232F5A2CD6595F90FFB2682C6A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:16.813{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50469-false10.0.1.12-8000- 10341000x8000000000000000839475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:20.707{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:20.705{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 23542300x8000000000000000839473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:20.396{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD68D6B4B242CB695B655ECF9A32DC6C,SHA256=F948752A41536ABC48756C28BF0BAF0F73CB336C0D35DA79EF0A32EF934A5ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.459{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EC881760B5A16FB3AAFB49FD09D671,SHA256=D88245C29251B536DA6B974C0139BD81235109A9BEF4DAED3995B4AB8E812E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:21.647{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C93E02256B5E9AF57D5C117E5338BDD2,SHA256=DCEE5F052D955DAFDD427AF5F3D05245105F46884D7C35276BF0C50A3A5412D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:21.074{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEC1E99DF92CF1AD09197161A2FE580,SHA256=79D82B886D14C1C4BF95769D6495F0713CCEF5F17A47A6C7C6F2EC05E1E53E4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.226{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.223{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.220{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.217{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.216{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.214{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.213{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 23542300x8000000000000000839484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:22.544{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B02544F9A3BE3402E758526F649DA54,SHA256=0B1961DE2C047DA45086EDD76E3388A89546026A9BAB8B909DFCA782E9B8C071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:22.141{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874A941AAE25EAFF6F07E2F7F59CACC4,SHA256=4C3D06153C5F76372F91F825885AC02F51ECDF164841EAD8D1B3842210E318D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:23.618{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73ECC8AB16533A19EC387D58DA71CB4A,SHA256=A9A92A3B033A2EB37277BF94C0E293921E69E057D4B6C8080E59244F8A037B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.727{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.723{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.716{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.713{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.712{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.710{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.709{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.707{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.706{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.701{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.699{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.692{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.689{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.678{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.668{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.664{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.642{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.627{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.616{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.606{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.591{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.557{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.545{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.537{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.526{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.516{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.493{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.477{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.474{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 23542300x8000000000000000392975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.214{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484EF21D329A36CC117452E30CB8B066,SHA256=1B6421672D5A52BC08C0D07786AE60CE52DE4024E91B8C1B86A47A8E78885319,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:20.509{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54068-false10.0.1.12-8000- 23542300x8000000000000000839487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:24.696{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0B9FA5064E92198551028E6A41F4AC,SHA256=4E69E514AE3F52384B6217B7B164EBB3D4B9F24C901625360A800E5236A2F86E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:24.776{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A816A97713C61DC5ECB37A7B7C8009,SHA256=D8528674A23D13FBAD806E419C8814C47CD42D8E29506DC493AFC3BB67EEE89C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:21.986{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50470-false10.0.1.12-8000- 23542300x8000000000000000839488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:25.784{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8A7948E9463D929E566B1994C009A1,SHA256=3734BA9EBFA3B4942AF0663F862A800A252BE52140E27431108D65587CDCC2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:25.813{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11681EA0468AC0C634F25F424A87B3E0,SHA256=3819D5091C289F1C68CCFCE3545BDEBD195606F42E5A95F9CF7A2827DB03C69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:26.857{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2907A875EA6975E8079E6C13838F87D,SHA256=92F00602CB3F334809A2430618B03A79074C54714C4CD1ACCA162DC609C1E887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:26.872{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B96C2260E02E46400FA48BFE7932FA,SHA256=D7DCE8CE2A6123875D96552123FFED129FB0F23D6344AE572433CD078A079883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:27.938{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93FC8F872625312B601576F019BE0897,SHA256=F7E87656EFD61506D7DDFAB7F904A56F04288D1D72C2365EE24CABC88048748F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:27.953{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CF1298A926BC020BCFA0948672F24C,SHA256=63A21358AC46DE92B476BA0BB015A8140FF8554B623AEE87822980FB61A9E988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:28.452{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-062MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:25.588{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54069-false10.0.1.12-8000- 23542300x8000000000000000839494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:29.464{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:29.007{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C95D960B7A05181CFAD9F5D3EC69F6,SHA256=DD0A76CA7655FDD43489F8B01020B51215F02E667A9E827999CF95F8054C0E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:29.025{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25CCE25AEDFB3301CDBEAAC9F365DFE3,SHA256=610EEC315B4B3C45218DF74A5C048A6F384E9117A22EA5844D7B6F36F60688EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:30.069{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C7B44AD4D0165CA56E5E83312F355F,SHA256=3A50B212DB78D7D258398C715189C1BC398A8E6DFFF36242354C1032E3801580,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:27.824{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50471-false10.0.1.12-8000- 23542300x8000000000000000393011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:30.102{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1A3472F1427ACC22B5F2EF2AC96323,SHA256=A79A1EA347D13605C5ACBAB975973ED092A5C3EF8D38FABDB5D87305139131F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:31.172{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34AA276AD1A2E1C74620D17DCAC470A,SHA256=3EB7D1BA5E804597AAF2638E2B1703195D375C482627256E4B1FE7FAD8846B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:31.144{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4AE4EB17A06A50232784B8AB0A50BC0,SHA256=0D645E06FB9C3BEE2CD9B8F4BF03E8E65B33E25B1CDAAAECDFE4A37DE769819B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:32.249{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838F72177726F96F2F0BF0B1FB89DF50,SHA256=C15A1054F33FF75489777706A1E5E428996A8C5D862B07DA621B5920DAD554A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:32.218{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67DA520624BC372FA8A8F2FC93F5DD8,SHA256=6C4ECBC3D8519EF4484C9A87E49D6313C54079DDBBC4E976CE7270E6CE3066CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:33.326{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47AF4B3E20AD2063F3E276626C2444A,SHA256=E9E83A25614D51D2094285105F08AA66FA58FDB2571D897CBBD73AF2245BC682,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:31.584{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54070-false10.0.1.12-8000- 23542300x8000000000000000839498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:33.298{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F8B712EFF13D381DBB9700C25F83F5,SHA256=022E6D482E08FA7527D426640A54B4DCF902A40844556031A07A29B158423617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:34.411{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B4779C173F7920FC1BC67811C04787,SHA256=6FD2E4C3EFB4FAC290F005881BEA862F40489E7EA51D896B84B2EEA40040434D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:34.373{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAB987E68F9E2A66A2DB39514809A98,SHA256=C1046454C26C8186ADA7E7BDAB2668CFC79A188ECE4D83B4738674E00227C08D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:35.490{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3179A6067891D1E132F487CFB7E585,SHA256=CCB656AE8FA7250E94C8474CE0D954D7B23B3B983D1C8202E884BC6C482D9748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:35.459{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E818DA4CA715EC93B8AA43FB4F451719,SHA256=6443999ACB05030A77CB2FECC58BA789D5E94E227A06242CF00160CBDCF60534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:36.692{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9DA78DD462A170F12635670D90C97CB4,SHA256=4387E2D0FB805B1D1E5FD11F349D94268CE277FE7BF726154AA685720F8F0BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:36.549{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B16DF7EE315C9B307ABA7143CA6DCF2,SHA256=086775FD6A94C319D1881B64BDBF5320E070C569D9DEB68E0FE6F315958511CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:36.562{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D5E4FBF66E8B149D498BEABC99E037,SHA256=BC3ED7073501D8DFE4BD44FEE909F35E2BD15CF7CAFE0FCE1C8A97087A42C321,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:32.917{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50472-false10.0.1.12-8000- 23542300x8000000000000000839504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:37.617{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52E468D8D9F71A2D7E4EF1200458B93,SHA256=987FB52CE3B3C8F17A1B8F1A517BFCBB4D9E02CC23C597AE43728068A0E437DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:37.653{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27B09E67178CC98D3E07CB3ACEBDEC7,SHA256=3EE4B8766B2E6DF96543A3A709BBD8050F69612BE08772D2B78BF2065F9D8168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:37.153{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=65A1D612A36DC585CBF32E79B41F7B26,SHA256=A55A0B9812DC83DF0D119569D7113FEB354C6EDF97D9ABC92CF51FBE6174E2EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.705{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.662{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DAC4456FDF100D9ECAAB66FD62315D,SHA256=3C54B71FFD81C0B0874F3234269C4531D26D990EE0C5BE0FF726DD1927A61969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:38.729{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA660D088E989D7059AA49530D41A1C3,SHA256=C1EEB6A62FFE6228321EFD518A421918F408744B12A2B0465F61F76207580517,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.327{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.324{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.312{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.311{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=09519B5201A0D0F4FF8EDB609355605F,SHA256=C840167CC9090B0EE79B2D801B309AAF3D6A2CB9E8F7A80BFA4599C3A4E937BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.308{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.284{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.282{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.280{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.273{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.262{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.258{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.256{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.254{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.218{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.210{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.192{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.185{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.172{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.165{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.154{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.138{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.130{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.118{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.106{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.058{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.055{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:39.723{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC3460A6EF8E2B0F71EE9C995396FA3,SHA256=927197E8367FEB537EE3AE92EFBF2C808A2BFB7519D82C2D1D29B97B27755D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:39.804{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9E243A49CAD3B9C55F64F17861EFA5,SHA256=A42291F9AD427150AB54B60EE39BF64DE045D16AED35CF05480C7BF55E2BB7D6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000839543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000839542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003ba0e4) 13241300x8000000000000000839541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90496-0x95cc4fe6) 13241300x8000000000000000839540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049e-0xf790b7e6) 13241300x8000000000000000839539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a7-0x59551fe6) 13241300x8000000000000000839538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000839537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003ba0e4) 13241300x8000000000000000839536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90496-0x95cc4fe6) 13241300x8000000000000000839535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049e-0xf790b7e6) 13241300x8000000000000000839534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a7-0x59551fe6) 354300x8000000000000000839533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:37.547{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54071-false10.0.1.12-8000- 23542300x8000000000000000393024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:40.883{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8AFDFB0A890DD40DFBB2EF1CCF0E128,SHA256=93E1DD31D5656BFFBF3CBBF9FF260DD3C137EC7671A0F8050A0E19D9D92FACA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:40.801{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687514CEBBC3BD405E830EE4FCC9BA19,SHA256=4BFDF737A56581838109DDCDECE007263470EAE72EA9957C243F362FF58599EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:40.743{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:40.741{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000393026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:41.970{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C918507C0E90EEEE8D25D8430C09D07,SHA256=935B4C1FE6E4FD4F5542167D97873D19B4CBAC949159E540CFDFCC4BAE09CC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.762{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02AC70B10DC5391308EF4585D92399B,SHA256=CB548AEDD53A4248798CA6B67B51E6278FE497B3EBE671165CE372C16EFD9FBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:38.865{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50473-false10.0.1.12-8000- 10341000x8000000000000000839554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.266{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.264{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.261{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.259{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.258{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.256{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.256{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:42.849{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F13A84B70ADBBCEC9FBF38719C2EAD3,SHA256=2F2930F6A0CA03B52B727AC1BEF4D8574847542616CEFA818C04595617703F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:43.925{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD15CA293AF73E06C1ED5EC99512A8C0,SHA256=B535F0A6A6CDACD7D09B53A5D76F55E1C89675EBBE7355E2F178647E11B2168B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.639{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.637{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.635{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.633{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.632{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.630{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.629{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.627{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.625{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.622{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.621{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.617{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.614{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.608{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.602{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.600{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.582{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.574{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.563{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.557{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.551{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.524{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.517{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.509{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.501{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.493{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.487{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.482{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.477{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 23542300x8000000000000000393027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.048{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B184638890AFA48989E3BAE74D72A276,SHA256=B735A8C062B84736FB93403FB950505D32C040AE2317BF9FC871339CFCAF0D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:44.324{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7F4FD1D868B0C0E8FD0A660EADCB64,SHA256=6CD912EB714335988FF9B532A68FB31F0C531FE822165410CBE890ADD4E7659A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:45.403{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37850C1CA5D45160D27E772E53899561,SHA256=61D0AFC10DB6A00CFFE146D3EECC9E4FC4FA115C57EE0A4B1F38029FAB9F289C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:43.510{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54072-false10.0.1.12-8000- 23542300x8000000000000000839558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:45.008{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B7461E611D66A06EA108D326AECCF4,SHA256=63134424862D34B0F8CC0551FC3261A51C74E72DD775F775429C438542A3FEF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:46.465{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881D73D8C0C158669BB021FA5AEF59C3,SHA256=A4301D662BA067B372E4625D23222A1620E3AF2FC2DB13D4C54E51D9378626D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:46.083{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998ECB8EA07CAAC2FFBFFDBE72735884,SHA256=755ABF6F07550A42C19A5FEE81D7A33547E8071606CF2BD793BE015563EEEE29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:46.221{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:46.221{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:46.221{E56ECBBF-146E-6387-0B00-000000009902}6441464C:\Windows\system32\lsass.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:46.207{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:47.546{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2391EBB3ED065507EC361CFAA6578E33,SHA256=F2745D299D14D24BDD94E7D417930B44BB33D705C16E54C4EECE37FBD0D637E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:47.174{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD26E86A3FDE8FEBE21A0A5B84CCD92,SHA256=5CD7E788EEFA3E54DB607C6F90C2BDDF40C434B0F85297C2073AD0235D747F17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.988{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50474-false10.0.1.12-8000- 23542300x8000000000000000393066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:48.619{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46FE812384A37BD67827E6D164E0D1C,SHA256=A205A8970C61EC836B66C2A47113995DB0AE7486B63CC0594360F844E57C5A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:48.259{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A211983C783F952FB88788443225D7,SHA256=F59551FA691D421FD6A5A9ED13A91848CEBCC2A9F0A1EF9B1D6B5B30487271C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23B9-6387-6A02-000000009902}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-23B9-6387-6A02-000000009902}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23B9-6387-6A02-000000009902}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.854{E56ECBBF-23B9-6387-6A02-000000009902}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.697{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041B7EA0B965D94A39809399566938A2,SHA256=4E8D345FB47E2C5E53342FF0514A7FBD6F43C69942B4C1A5928F5001F07EBFCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.650{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:49.338{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42C1A3BA16F3CFF91B9AEE27850E83C,SHA256=F22E07CFED13E7FE3B6BF66209DDD13734A3BC18EECB8FF708EC3F7EBE591502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.984{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8176AD386DE268A2B5AE80841733D956,SHA256=4E2AC6C9308C2D9E9F3A901CF9E4DC5F4CA102A1927539B01ADAB75AA099F0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.984{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=110435FDC69B8CD4F2D5D16A92882BAF,SHA256=BAE588681EAFACC8A757B53CF12F8B381F15D96D378F3F956640330033D9E2D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:48.611{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54073-false10.0.1.12-8000- 23542300x8000000000000000839564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:50.429{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB6F89961556267716A32F4A725CC57,SHA256=80C0D2952F44173876E6D15862BC7B4E8D152E84EB5DC9836984F3E69E9D1F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.632{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CE391B3EA6F05763FD01915BEAE84EBB,SHA256=F55A9F352F17A4F70C540A684812CC680E31E46A413991A41B51AEE066C19F88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.592{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23BA-6387-6B02-000000009902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.592{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23BA-6387-6B02-000000009902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.592{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23BA-6387-6B02-000000009902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23BA-6387-6B02-000000009902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-23BA-6387-6B02-000000009902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23BA-6387-6B02-000000009902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.535{E56ECBBF-23BA-6387-6B02-000000009902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000393082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.994{E56ECBBF-23B9-6387-6A02-000000009902}11963708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000839566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:51.520{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF3003ACB6042A2E427C639D92A896A,SHA256=B619444706FADAB078B09A79338374F709C516B953E839D97C5113C5F19BFE68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.856{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5C48181E9315F7EEF70FF94B07DDA0E0,SHA256=40B5DFEC889EB510AC1443F75E868EA2941C0F9ED96B2B4E5DB336264243A13A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:48.390{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50475-false10.0.1.12-8089- 10341000x8000000000000000393114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23BB-6387-6C02-000000009902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-23BB-6387-6C02-000000009902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23BB-6387-6C02-000000009902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-23BB-6387-6C02-000000009902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000393118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50476-false10.0.1.12-8000- 23542300x8000000000000000393117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:52.192{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BAE03110E778FCFD24D4BB0941365A,SHA256=F6D418DE067BECD6A40D6359893AF0CCFE7AEE2F4372C5764CB74F2CD05F536F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:52.876{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:52.607{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583409B89D5C25CBC577039494EA7A45,SHA256=15372888EB298250625D840222E2B02881BA888E4884AD15AEAD282E9B14D454,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.938{E56ECBBF-23BD-6387-6D02-000000009902}31522304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23BD-6387-6D02-000000009902}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-23BD-6387-6D02-000000009902}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23BD-6387-6D02-000000009902}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.736{E56ECBBF-23BD-6387-6D02-000000009902}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.290{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179F47556D6339C793E05C05596A2423,SHA256=5E5A22BFC260319498847155EB86E957D86109645C7545C83387E1A4A06FDA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:53.688{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF4DF6EAD2E3E84F649BF5060D5906E,SHA256=A5CAE3EDECAC5EFFBD51827067824894C5C9CC6D180FF70898E8D848E6745432,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:52.305{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54074-false10.0.1.12-8089- 23542300x8000000000000000839570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:54.776{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A419F9A46A34CD7C064EE0FEA976DA,SHA256=2377F41F56BD468BF86C2329E822C139500C82EB01312F1BDA7C7D89829C5231,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.557{E56ECBBF-23BE-6387-6E02-000000009902}15121884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23BE-6387-6E02-000000009902}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-23BE-6387-6E02-000000009902}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23BE-6387-6E02-000000009902}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.401{E56ECBBF-23BE-6387-6E02-000000009902}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.369{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4BAD6461BFA87EA9E215D7ED6BEC43,SHA256=523F729D0DB369B8E1A17F9417B014514685603798BE7B7B0B94949063FCB8EB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000839573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:55.911{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9049f-0x01b66b3f) 23542300x8000000000000000839572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:55.864{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502BB15BB296799FD466D167169C2A44,SHA256=B99F33A44C9FE5D4EC610D22ACA87018CAF8A19D6EE807FC093B1592F907E14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.485{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362CAA1BAA9471995C33BACBB064A653,SHA256=F877D6CE9B256D5618BA8D9BCCD7C109CD8B5E36343A60BE00BC74AF08BA4D9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.220{E56ECBBF-23BF-6387-6F02-000000009902}3080868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23BF-6387-6F02-000000009902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-23BF-6387-6F02-000000009902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23BF-6387-6F02-000000009902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-23BF-6387-6F02-000000009902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:56.952{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE27ECE74AA74F3EB6B72E57147D232E,SHA256=67CD59C5DAEF7C7B45889581BC25997E6CB62D92B5350BC3D3FAA0CD151C4B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.638{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4AD6605DCB8545C68D83977007AA7C4,SHA256=73AD1041FBE77FF8CAD2C7473ACC97DB0CE5ED5F7BC2A2404E1309BD6566D7A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:54.612{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54075-false10.0.1.12-8000- 23542300x8000000000000000393177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.176{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80755D31A427CCBD28EE6FE9F5823198,SHA256=382E9EDB4E632A4E3F1334CB3A40659DF756613AD23997BB61C6D1214F2E49B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.014{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23C0-6387-7002-000000009902}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.011{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.011{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-23C0-6387-7002-000000009902}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.011{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23C0-6387-7002-000000009902}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.011{E56ECBBF-23C0-6387-7002-000000009902}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:57.721{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E611DB19A6E6F1147A49B8090E34E4,SHA256=06965FF67CCF99A4E45E33C3388411F03DBF6B07C256FAF20D387DEB21087BC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.962{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50477-false10.0.1.12-8000- 23542300x8000000000000000393181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:58.797{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF3E18691C14B03EE5D008B8D945AE8,SHA256=DCA87B1710E23E9EB24C4BEBB133C7875FAC1AE9D80A688F8B5F33A3DE49A172,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.842{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.326{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.320{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.311{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.308{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.290{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.287{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.283{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.276{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.267{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.264{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.260{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.258{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.221{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.210{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.197{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.190{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.184{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.174{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.167{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.159{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.152{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.144{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.134{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.075{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.068{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.048{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F0267FDEE84F72C11BBC25AFA15F47,SHA256=DAEAF11FCD1FBC12979056D21D0D6E798F2625EF5F1101B41ED98D9E93911754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:59.874{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521471CDCC89F039988ED7F5B8BC2086,SHA256=F149C581D63A6CEF62C24A5CD18F2364A69DD15E1320E652419A683EBD2FFB4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:59.068{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D3A6DBCA4D8DAB1E4CBD7200C681ED,SHA256=89D21AD7CCE19FB43AADD53138351F5D077DC1F31A8FEA7E0100208E73B025BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:00.966{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C64CC8FCC995735BB80DFECC8E17BAA0,SHA256=89012E2FA3A2DB9CF06B1EDA46A67E1B2E4906E5B77E10B4EBCD98386A240818,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:00.885{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:00.883{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:00.171{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E0B77528913DBCC9ABFA41625EF4D7,SHA256=9561802DB3706D045987FABB3DB2F682629E2DB4F59FE0D99C5DF9D50FE4B1FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.861{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.861{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.861{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.849{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3100-000000009802}2952C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.404{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.401{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.399{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.396{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.396{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.393{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.393{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.236{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900187C84A31C4BCA6648F94B1ABEA5E,SHA256=22BBAEBB9322CDCE1EE1E1E6BF897D23CBBEC6E290E815E0977ECB7CCDEED227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:02.312{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98171680EF205EBEBD48D4C78F3DF95,SHA256=F818CC698CE28B254F2FB19A1475DBCDF50940C2227453F941F6F9FB93A6319D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:02.026{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA126820C30D4A3B5F1ADDFB22BC5E2,SHA256=879298DF4879C891303750CFD5ACFF48BD1235FA09DD92D93F4C984F00244785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:03.394{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE83442D1420C8F62F46F7DAC8237C2,SHA256=B654C8D89F84D2FF8116A403F5BAE35F4FCDCF7AFFB3AD649887CBB5DD48D4B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.652{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.648{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.647{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.644{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.643{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.633{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.632{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.631{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.628{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.623{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.621{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.613{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.610{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.601{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.594{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 354300x8000000000000000393200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:00.797{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50478-false10.0.1.12-8000- 10341000x8000000000000000393199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.591{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.579{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.573{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.564{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.557{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.546{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.520{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.514{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.507{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.499{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.492{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.485{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.478{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.475{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000393185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.106{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C85D1CB732DF73568144C5FFBF0E171,SHA256=E2A977A93FE0DF7BE1C50A93A9BF63476DFE476B1D5E88FA83EB8F80858F1A1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:00.540{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54076-false10.0.1.12-8000- 23542300x8000000000000000839622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:04.475{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B650A59CAED9EFC9505395562A6666,SHA256=B1F2B49E516DADB00E79CF7740DB4148B9D88F876050CA67BF62C72A7BD7E8FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:04.440{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515FBB4EBB17139F363805E98F36ACB4,SHA256=403435492BBF22FB924483BCF1361C60A55ABA887A84C1B50A3B5C65D96811C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.928{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A64409F0D1FDA62DE1F7837B3D6588B4,SHA256=13BF1160516AE172D5379D86CC5E42987C5A171F313C06EBC72C5AE60A2AB4C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.551{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF662315F531339E09D3E0299ADE7BF5,SHA256=677442058C899D00A8DE58503A200B67D06672410F7982F5F2B95A3A055F139E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-23C9-6387-7002-000000009802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-23C9-6387-7002-000000009802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-23C9-6387-7002-000000009802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.521{8A63456F-23C9-6387-7002-000000009802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:05.504{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8EEBE386F6C179AD8AED9156957A07,SHA256=E5CD3080BE48CD73C81480E0DA268D8ADFCF3953DFCACAAE7EACCFC90E47B8D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.239{8A63456F-23C9-6387-6F02-000000009802}6203880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-23C9-6387-6F02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-23C9-6387-6F02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-23C9-6387-6F02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.021{8A63456F-23C9-6387-6F02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.917{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=17EBF6BC417FEFF6F51BACC65E214F88,SHA256=07557C844A87158B74B158B26CFA434BCF3FF04284E5EBB166F341DF4CFBBD7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.804{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB7471D3AF3AA5C23BB90BC86B81A2C,SHA256=3B82648AB029169DAD9A8BCC3488147A3EC9CFFA178755D3EE2700254D65DD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:06.607{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EFEF538BCA0210E64FBC4B6640FC9A,SHA256=CC51C02F0E81171F010212460E7278FC9F57D64934F752BBCD9A615873FDF056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-23CA-6387-7102-000000009802}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-23CA-6387-7102-000000009802}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-23CA-6387-7102-000000009802}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-23CA-6387-7102-000000009802}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.115{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1B52CAD7309F7F95A97B32972100898,SHA256=8AA478EC6EF45B023FD72E77CD5A56D71F69E421742C5F040901956F2FE615DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:07.935{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F0D40A7A51959B07600795D8003791,SHA256=98369CD96E71866B0EFA99C98694B3CBDE721D008CDD3148FE69D4BBA006B981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:07.692{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF430BF81321ACAE388B60CCE40959B6,SHA256=0ECB170BF7CA4BA821A91997732DC8BFB1693FBA5BECAE64AA1E2656AAEC1FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:08.763{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47024ED2A537C81C1BDA22E18EF0AED2,SHA256=7BB2EA87D6BCA6537157A6EA235D6E2D89066615A560DC99B7CDA77164BBE0DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:05.853{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50479-false10.0.1.12-8000- 10341000x8000000000000000839684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.565{8A63456F-23CC-6387-7202-000000009802}4512880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-23CC-6387-7202-000000009802}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-23CC-6387-7202-000000009802}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-23CC-6387-7202-000000009802}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.394{8A63456F-23CC-6387-7202-000000009802}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000839670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.826{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54077-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.826{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54077-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 23542300x8000000000000000393222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:09.845{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1AF881FE32FA80C8747CE7E9B2274D,SHA256=340B41DEC545B22979685D2CEDFDD83C2A1AE78E5869855FB3EF0754C5613854,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.919{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-23CD-6387-7402-000000009802}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.918{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-23CD-6387-7402-000000009802}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.918{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-23CD-6387-7402-000000009802}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.913{8A63456F-23CD-6387-7402-000000009802}18525076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-23CD-6387-7402-000000009802}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-23CD-6387-7402-000000009802}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-23CD-6387-7402-000000009802}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.584{8A63456F-23CD-6387-7402-000000009802}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000839700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.332{8A63456F-23CD-6387-7302-000000009802}47601936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000839699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.535{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54078-false10.0.1.12-8000- 10341000x8000000000000000839698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-23CD-6387-7302-000000009802}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-23CD-6387-7302-000000009802}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-23CD-6387-7302-000000009802}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.067{8A63456F-23CD-6387-7302-000000009802}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.020{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10934DF737F610A218581A325610C6A,SHA256=C10BD3BAFE84719029B4E1E5521C92B07B49ED90D03219150995339B099A155E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:10.938{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23EFBF6F3DE4C8578FF9B24E3891BBF,SHA256=AD12C6FA8179DCD790FC0AEC168DFEF438E1E5C0035435AF2170AD06E221A177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:10.151{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C678113BBC5C63FB4192D6961A01C371,SHA256=07E0E514B98F2ADAFB209A28819E08C10A3F0146A9D863A528494104567635E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.914{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-23CF-6387-7502-000000009802}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.914{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-23CF-6387-7502-000000009802}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.914{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-23CF-6387-7502-000000009802}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-23CF-6387-7502-000000009802}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-23CF-6387-7502-000000009802}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-23CF-6387-7502-000000009802}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.829{8A63456F-23CF-6387-7502-000000009802}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.191{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CA74508979C649E38D87E1DA736A39,SHA256=B8C3EFBD8BE077ED776208B0FE0DFE8DB9E7FFF3DD2C4C106E5E74BE498E36DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:12.015{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FD135A0C6B1156A68513C1A6A5CCD9,SHA256=7D1655959BBD6D79C6258DB147B23D1A587FD4C340CC23C73F065663B165922C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:12.916{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51DD8FF2BADB9CAE6BBF7CD6F2D98679,SHA256=2D2F79A7937894FEDF3DA47DEDE739DE22CF3FD2559553CF6420DF54FC3CAFD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:12.251{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBDA0A4EF565F90E27F401331A63B2B,SHA256=58C56FECCB8627FE20A9F7510F6B4D8D8430C83BC541675D8BFDE0F972E38211,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:10.966{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50480-false10.0.1.12-8000- 23542300x8000000000000000393225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:13.097{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50274E5A92363F628F95A26177272A28,SHA256=31D0C4094A08AB763F26F366CB15C826B9448A15577B0528691E78DC098B6663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:13.330{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51735C59663A10D544F9C015A7150D8F,SHA256=876AA36E8D87D972464C83FB5730026AD6F7D16C0FDAD774864355F38CA0FE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:14.166{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3F956527DA3935C952287807A7970B,SHA256=D8CF2EDCC0DFE1A26104D38FF48370C706B584089538BBEAC0FBC10796B2F6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:14.393{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4429273303109F533AB47166267F51F2,SHA256=EB6A44805153063185A3F2ACBDB1E2C65EE8A1178B284F34C0EE850B627033C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.571{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54079-false10.0.1.12-8000- 23542300x8000000000000000393229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:15.579{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-063MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:15.260{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BCFEFBABD479D86BF1AA43FA04F6DA,SHA256=D48E21F89558DD8AAAF4700BEC4DF3F90ABAF08B19D499E9DA2DBB07BD2A73A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:15.486{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0B3FCCDB068ECE76CAB21B8F7568EB,SHA256=8A782F33F179156A42F3BF1C0EDD4887BA1FE224F67C8EFCE7ED7994F47D88A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:16.588{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:16.321{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD4CA8D8ABD2BF03068F9E7B6A8D7D6,SHA256=C9C2BBB4BA67A9369C188E8F541550FA65EB81920648810FEE239892FBE6359E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:16.582{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394A99300B55E3F6E2236EAC9B02A8C0,SHA256=8C3DBEB3222C357A7411401972D20C796199D88F1211DDE6F0A6ECE44BFCF8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:17.411{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E390537AD41EAD2DCDEB0455DDDA9F0B,SHA256=7F3B1C12BD2762614C5ED6B39457DEB42FB0ABAF75E172865B64E73B6852F001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:17.664{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA409F54E9D3A61532E089CD80E8574,SHA256=2095C23053D4C32EE0EE3A3C00F75EF0D2CF4540D1847A2461D1FF672E67279F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:18.474{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431EF42DECEABD81E7BCF23297936506,SHA256=D9F8DFCCC3B642785340DDF8BD9A50D929BFF1B7D871A2C7B1AADF1B472C6E0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.926{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.713{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D62382D390FB1C5AE2CEA0C92AC3177,SHA256=51F186E3CBB1F44D7B1FA336983B3013D21CD4E93036CA9102C48E9D9D9DFE6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.366{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.362{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.353{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.352{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.331{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.327{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.324{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.316{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.307{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.300{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.298{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.295{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.245{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.230{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.207{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.199{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.188{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.177{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.166{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.147{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.141{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.131{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.122{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.056{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.052{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:19.761{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED81B62E87F93E19903CA5CC5AD20DA,SHA256=AE707D78FF99DF338C049E98DB294F97F94062CC21E4DDBEA148E48EE19B17D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:19.557{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB09B86E5BA222492126B33B08116FBD,SHA256=CC8E369CFC86F61CB37825C203D1E1A3483E0FFA28DA7AC47D50415592441970,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:20.949{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:20.948{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:20.819{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0BFE0E6DCC7C094284DB7320D5DA18,SHA256=E0B2343793D4CD3CBE1E6B67B50418830809D22F81AEBF133110C7BD53E7715C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:20.631{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44B8F91069984E28BEBD23C29BEFA61,SHA256=634EA32AC04A2F674B4414A98ADAB9C0D064D3ECDEF6CF3798B33BD52EA47EE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:17.578{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54080-false10.0.1.12-8000- 354300x8000000000000000393235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:16.925{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50481-false10.0.1.12-8000- 23542300x8000000000000000839783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.888{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C9843B92305A22CDB92453B07D9F80,SHA256=5243EF28E7A67BC316C48A017676D9727FF7FA7C14A126D5B6ECEA27CF07D4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:21.709{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6D32F3F6B62272E0FEEC3D6FF4E79B,SHA256=3E490D2DBABA6D0A60DF75D1891DA5103B7C97A887532BAD2BB549FAA7C2F905,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.466{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.464{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.461{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.459{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.458{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.456{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.455{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:22.966{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4274E914F2C8DD6DEE120B0972B30EBE,SHA256=9BD1BB0051E01112A686AE5B05CA29D294F95DA768E0257F503A8BC9F1149421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:22.781{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E563E5C7219C65D6BF9FF57378923A75,SHA256=4C6FAB0DB4CFF1BC851A0811CA3AA9C40A3AE370E21C3CBC2278F8161F3EC21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:22.046{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=976B7F4A403E86238F92C0AC48A34BC3,SHA256=8BE106929C936056E2B655823F1724529005EB209D861AEE7E61A24B25F6F70B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:23.876{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:23.876{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:23.876{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000839789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:35:23.029{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\1DB41A76-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_1DB41A76-0000-0000-0000-100000000000.XML 13241300x8000000000000000839788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:35:23.029{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77\Config SourceDWORD (0x00000001) 13241300x8000000000000000839787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:35:23.029{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77.XML 10341000x8000000000000000839786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:23.013{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:23.013{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.645{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.642{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.639{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.637{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.636{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.632{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.631{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.630{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.629{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.625{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.623{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.619{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.615{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.609{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.602{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.599{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.589{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.582{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.573{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.565{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.554{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.524{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.515{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.509{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.494{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.488{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.480{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.471{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.469{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000839803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.880{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.880{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.708{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.708{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.708{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000839798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:22.480{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local50107-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x8000000000000000839797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:22.480{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53831- 354300x8000000000000000839796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:22.479{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53831-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domain 354300x8000000000000000839795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:22.461{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54081-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 354300x8000000000000000839794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:22.461{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54081-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 23542300x8000000000000000839793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.032{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85BBDF5D99B0012B9CBEBFE12171C7D2,SHA256=32DE918B7840294DA617636D6F0763EE25CB3BEE2AC324500DF3FA5D487DF12D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:24.019{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FDCFF4CFEC48920AC20899C1D3D19DE,SHA256=1E207AC196E63A508B4664F85BE47CF3ACA4C7698F1A03EBB7F1D63FAAD7A238,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:23.321{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54083-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:23.321{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54083-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:22.616{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54082-false10.0.1.12-8000- 23542300x8000000000000000839805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:25.114{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA7B368F74B102001ACDD9974632066,SHA256=06C2DD81605D70243A2BDD7B12EA2C1F3606E2A16A8A4018DBB2B84899112FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:25.057{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67B73172CC8A70D8C4A4EA9B473F3E0,SHA256=E2278736D71FB7F0566C62BB43CBBEF1726C6B6D83BA48C01BB6BF12A8EFE2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:25.005{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F12C2CE4B8F384B7DCD0D42FA67C0020,SHA256=A4848F507793CCC30E5311DDE1C0DEB7E415650CE4FCBE4ED9BAE533F16734B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.153{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54084-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.153{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54084-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 23542300x8000000000000000839809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:26.184{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E75ADD436C7796B637548800B7F2FE7,SHA256=18FFEDFEFCDA3E7DE472C770D2562834A24401000FDC0342224E33393B48B6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:26.132{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96FE50F436684D5886F3FD905A7F33BB,SHA256=CC8AC42D09EBD16DC0146C9E9033D009456F1A167C7DBBD7BE076FDBF9C5F650,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:22.773{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50482-false10.0.1.12-8000- 23542300x8000000000000000839812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:27.258{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4870982D7A8E13932FD47D66BF428B,SHA256=9260058A090EFBFD0825A625E03E1F905DB3D34C050CD383440AAD8BD20AB309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:27.198{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7186EC9BAAF34A01514344EB0DD186,SHA256=269D576F45A22E2BF14C7E9BC1FD310208158ED988AA79BFFA5844913F51DEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:28.276{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F99D61645BACD4244578383FCD8A79,SHA256=4771FAE2F8F38EBD68EBD9605AEDEFF320ECC342C4C9F4476FDE92740FCFE17D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:28.321{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FC3A17EDFFAC8D7DB48979C4D8E97B,SHA256=6B3AF995C0BAD33B30FBDE71E074730A7A8F23BC7B33D7B9A1A535E737613EA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:29.348{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BC9B19A7A47FA6D24E50E660719E2A,SHA256=E5301EA1C930973E71E2FCBD63D497B846D5DD27AAE44B2F525CD24514C8833C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:29.998{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-063MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:29.392{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03EA4EA072417C5FE53B0907C16C90FB,SHA256=64D8AF73B07FACC7A8ADC47B29D7822920A4F67F475A12614D6FE32D8B5E43DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:30.433{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4EDD1965594BEEF4F2A5F4325873AF,SHA256=EC524610B7EDB94AB80F40104441DEF8EE76F4048D5CE3A2F2003FFE295E82BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:28.515{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54085-false10.0.1.12-8000- 23542300x8000000000000000839816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:30.459{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C375A3BA3018612FAD8658FBF1F0F79,SHA256=F23C093CFB2923F291195B2EA9FF97154A11BCB07F82BFA31E649433D3546D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:31.529{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C1868CA3B0AFFF1302E5595154E7B0,SHA256=6A462B685B940F745000209E75F86D6B645DCB8C540805E0896D7F511C7FB026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:31.533{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6436BD6F2A24919C268E5E90F8255AF3,SHA256=4A0128D733491AC6ADF314F96FB7C1CB0156B5374DC0F587AA0C272102C66B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:31.002{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:32.600{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6830F0B1A9F9D4783053FE12F0763F,SHA256=46A09F316A2B87ECC528FE7B7FB612E78AB0815BFDD139032DF475101048F639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:32.610{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A284B0778FD2F3B1811059C2545403,SHA256=58B7D62B377F529681EF2974EF232E4CA6038F5069FD934619D3DD794C282E8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:28.797{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50483-false10.0.1.12-8000- 23542300x8000000000000000393280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:33.681{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99819FEC98EB8CAFF781541EE67C3C6,SHA256=243EDE422CF5FBD6B4BC9C0E2EC5E46A39EAF48E809D23390E4D89C8AD9052C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:33.695{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30EE2C7CFCB942B6627847DF7A1622E5,SHA256=CF3670934F233B18CB0434DFD92E5F7CAE2A672BA2D8CD6CE0487F78A864F475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:34.770{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7DD99224DBE2C7E8B7C5673F980B446,SHA256=2CE10ED228FCFA836BC09B2547C6D24EA953EEE9F330C5832F696EF56CD8FA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:34.764{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C76BB1439C5ACEA452F2EAEFDD93B23,SHA256=8E969EB725F069056B913B3E5D5FB55E182BC22C42828B9F8F1E877E4010FB59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:35.846{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8181948DB1EAB769C4772E612F6CF048,SHA256=6A5B8C4A38E5DFD4E6AB4FA316926BFD834522F851006B3CF55E219D52F84392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:35.845{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C8BDC11ECECE49B083A7A185925835,SHA256=30386873E6A7147F69A0FC58EF4D285E6DE947C7A190CED97E607393E376371E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:36.916{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201DF9BB6421B6E8E82B4AE40CA01F83,SHA256=4FC0E5878A0BB9820EBFC9457EE40978EDF67AE3E82AAEC9076E91427F4C1EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:36.929{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DC6CA7A3312A62BB6A171C126546D6,SHA256=7FC21D348CE49BAEF47794971DD9DB0686F39B408E4BF49B6A8187783E3CA4B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:34.559{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54086-false10.0.1.12-8000- 354300x8000000000000000393285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:33.960{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50484-false10.0.1.12-8000- 23542300x8000000000000000393284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:37.159{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C19F68C1DA0B78DAE08708C38CF0F8E7,SHA256=AA93BE8F24EEFD7E2872C95CCC50D1A03DBCC7D1913E12CFC3D8A6CACF402520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:37.008{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=802C4094F2CA80CF7ED5FC12E75B0B35,SHA256=D3A7E13C261D229809ECBE27D8AD984D6175A5E4CA7428A371C38FADA80AC593,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.356{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.346{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.329{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.328{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000839849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.316{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A41489CD5635F78E361F910A6F7126FD,SHA256=68D9E03C8D8B8C19422AE942478308703CBE40C1A3C59A5A44B3404B0A32ABBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.283{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.279{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.273{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.268{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.254{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.241{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.236{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.229{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.198{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.192{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.176{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.170{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.160{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.148{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.139{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.128{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.118{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.111{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.103{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.049{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.046{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000839827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.017{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6283A5EB24D0EE783262085EC86B90F2,SHA256=769B613F51CF0E2A5C319DE704341E6CB340DC39CBFEB9CB1667D4B92521AD01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:38.010{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2B016AC5BE889DFE06264FD5EA35FD,SHA256=DE922C4719119F103A4923AEF8EDA5B29D66FC561674ACCF99B0F9DF80814BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:39.413{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2252B9B15FA05053C6992C6A8B24FF8,SHA256=5051CE51F28C7A29754D269B4CEA47F0C35C0E2799134C96632D2062931C384E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:39.099{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479B1F4C06B545049EEAF1292DB3C593,SHA256=FD32CF0DA5985A10D2B494CF33571CAC6DD8E6669BD2FF579CD0C1A1902A505E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:39.007{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000839856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:40.441{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E96004DC30A17A1237A272F014CA782,SHA256=874947312B9148F502BE3DB725250C6D0E15AEC1E841B8930593DB3841C7AD9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:40.177{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D38BB17431B08D62CB488AB03159DC0,SHA256=CA603338C0EF10A2016FC5F6FB52D15692E97673689E642633889731A562EB9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.561{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.559{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.556{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.554{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.553{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.551{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.550{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000839859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.533{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69642EA317AF227B57B1DE0ABD1673EE,SHA256=41C5CC55417D3DA16D498ECBBFCB3E081907568DF8A0470FF87B23F1EEE81411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:41.264{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C470C17BCE6155FCC957641C9E036E4,SHA256=D5CD6B44BF22EEEF4A742F1FD31CCF16952DFF498426850E9FC159DD16F89614,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.046{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.045{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 354300x8000000000000000839868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:40.522{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54087-false10.0.1.12-8000- 23542300x8000000000000000839867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:42.617{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665F6B5C56C207697F06C0AF24BC918F,SHA256=05F7E5044BBCDDB6DB7673BB1A5167C511AA8DC83F8480508D83872DEA8095B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:38.978{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50485-false10.0.1.12-8000- 23542300x8000000000000000393290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:42.349{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BC3B0B51013A90EB43073741B7D719,SHA256=99A4C5971278C73D6078494FC8F6514E690BDDC070BB05295FA9D740D2ED4B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:43.712{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E7CB168FF8212CA7EF259684430910,SHA256=DD8F60D7A97EE60B1CDAAC8C21C579D8A3C0B53CD19236B245F44DC131033CC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.756{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.751{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.748{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.744{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.742{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.738{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.737{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.734{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.729{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.721{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.720{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.714{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.708{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.696{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.685{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.680{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.654{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.647{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.638{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.624{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.613{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.580{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.570{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.557{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.535{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.523{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.514{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.497{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.495{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 23542300x8000000000000000393292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.427{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C2D57661D288966CB22F597FA7C051,SHA256=19BBDF38EBBF3F59162EFCF2D6F6F3BDFB4FC41C09270AF9C3383AF7B93D0048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:44.689{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC857F140C579FD74A62BD31F304569,SHA256=A452DE9C2D7EB422803E15F6756F09448F4614AC5E89EA9491D8F8C589352FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.827{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9991A773D8FE9FB38BA490485407D9E,SHA256=5641BE1730E90A29439CC269D34C740F0FFC8E7FB7B50F8B03F90664AD44FFE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.424{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.424{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.424{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.424{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97cd2|C:\Windows\system32\kerberos.DLL+79ec8|C:\Windows\system32\kerberos.DLL+1453f|C:\Windows\system32\lsasrv.dll+2fbf1|C:\Windows\system32\lsasrv.dll+2dad6|C:\Windows\system32\lsasrv.dll+33369|C:\Windows\system32\lsasrv.dll+30cb7|C:\Windows\system32\lsasrv.dll+2fbf1|C:\Windows\system32\lsasrv.dll+17b1d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000839886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.331{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000839899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:43.873{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54090-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000839898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:43.873{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54090-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000839897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:43.776{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54089-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:43.776{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54089-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:43.765{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54088-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:43.765{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54088-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local389ldap 23542300x8000000000000000839893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:45.905{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5D6B5C31927C12C697EE24A0D08C80,SHA256=B45FC9D7007CEABDC7C9B9BD84C565349AC2E5A63606F839EBF5B09553595802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:45.793{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8F9D1FBE741DCF06ADF8B61F8FDE1F,SHA256=DAA1035306AEC9A3861C4E419AD1D61540EC328CBBEC94C35FB8BECED97B2497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:45.483{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B31F9FBFBCCB38F4753C864B7F404A9,SHA256=10177844DE499E190F735211249FB99A93C679C322CF40E050879101F63134F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:46.991{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E75A9A3E02AD4EAC820E23860A8745,SHA256=5492EC3F3B648BB5181DAC244DF0E672FED935245B6DC98670418BE10871EFA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:46.860{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3149A0176ACE4EA01CBF27D397AEF159,SHA256=DA92E9D7B7D6AE83A2DB0C80A6CC0C8104FE05B1B7FA607FE82F876357053F77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:46.224{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:46.224{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:46.224{E56ECBBF-146E-6387-0B00-000000009902}6441464C:\Windows\system32\lsass.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:46.208{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:47.956{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876B784DE62EC71A18C838879B75C5C2,SHA256=921E430FAC7F86869B1DA6508E44D6343897FEFF31F2182573E7A669606516D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:44.971{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50486-false10.0.1.12-8000- 23542300x8000000000000000839902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:48.106{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B46914D3DD0F2BFAC4930642A5BEEB2,SHA256=B8E102455758DE5FC98D84FB4AE7C3D2649BF6C75F43945D23D180515B053CBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:45.553{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54091-false10.0.1.12-8000- 23542300x8000000000000000839903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:49.091{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD768C15967A865ACC358E0CEC06ACA,SHA256=42E64DF4E22316785C005D39FDDAC2EDACF424C12D374A6F26ECDCA435902CFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23F5-6387-7102-000000009902}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-23F5-6387-7102-000000009902}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23F5-6387-7102-000000009902}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.881{E56ECBBF-23F5-6387-7102-000000009902}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.677{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.029{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80EF6E29BD30EB4A95E6CB3F37E5AF6E,SHA256=4AB02FD6E1E7FFED1E0DF214257622B4E94ABFC179FA2300FCA89FF564C4FB7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.963{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E5CDEF255320B97DE632FE7CD506697,SHA256=BB81A5E0F05BB5604AD3B724DA13795F538DC8B92F10927B87B4E48663C33F03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23F6-6387-7202-000000009902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-23F6-6387-7202-000000009902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23F6-6387-7202-000000009902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.542{E56ECBBF-23F6-6387-7202-000000009902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.119{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD76D3527E8DA107D13DAEB6007B57F,SHA256=512A846FB969AD19689A784FC23E5A6E07131C677160FA37CD63DF319BB800F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.088{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5654D375F7CCE2D08DEEB425E24660B0,SHA256=27480A95317F787E17300DE3935B9A65AA56BF66F659E7F86883F6F1DB4BC1F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.049{E56ECBBF-23F5-6387-7102-000000009902}29523432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000839904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:50.182{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1E90B89E7C2CEE7517AD006A85413C,SHA256=2A8438550D3C72C5FC8EF924E69AE20B5E549BA863DDF6BAE31E89CDF6BF0A5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.023{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23F5-6387-7102-000000009902}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.023{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23F5-6387-7102-000000009902}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.023{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23F5-6387-7102-000000009902}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23F7-6387-7302-000000009902}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-23F7-6387-7302-000000009902}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23F7-6387-7302-000000009902}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.409{E56ECBBF-23F7-6387-7302-000000009902}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000393367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:48.416{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50487-false10.0.1.12-8089- 23542300x8000000000000000393366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.117{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F7F3646849ABCBE62E9BD7F03EE631,SHA256=41636C1FDD7C4E86502E00F9EBE4FA6382D00EE680B85B6EF64286AC9E1A870E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:51.269{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A104436AE3DE8CE0C24606DECADFA37,SHA256=300AEDF9CBE2C2421ADA04B2B1A69CD4B885B07633EFCBD4C7B4AF7392AF0E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:52.261{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=42906FF847581E116D577246463053F7,SHA256=440CBA2FE43D7F7D95FEAB4AC95BC37AA6DBC8F9E26917F6BBEB9AE820A81CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:52.183{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D685CF4B28525F01B9F1C7A50409498,SHA256=4FA8F0D51C5F7B1C6460D5F28A3E6CB93F26440AB901095EB75EEBF215DEAF7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:52.899{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:52.361{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D292A6765C39923F2B6F6B738556B7F,SHA256=AC25D6BB083A24BD76D6D2A72DB116B540E7F36121A8E9389F698FD9454859C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.854{E56ECBBF-23F9-6387-7402-000000009902}39442512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23F9-6387-7402-000000009902}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-23F9-6387-7402-000000009902}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23F9-6387-7402-000000009902}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.683{E56ECBBF-23F9-6387-7402-000000009902}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000393384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.906{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50488-false10.0.1.12-8000- 23542300x8000000000000000393383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.260{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A34654F408595ADC3E0D409F3DD9401,SHA256=1A39A10188F110CCA7096A23CEE55E6F29F5804D770E46B68C3BCA5937E1B7E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:53.446{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969D752F92A07381157019EDBD3C4266,SHA256=15D4556EDF9D0C514141C1CC3F3770DEFA40F4D10A82EAC0BF937016D010D273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:54.525{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C18631C7F954A1EE0FAE4F0A17FC389,SHA256=91235E7B6B37CA97A18258C9E7559BE020FC82B326EAC99774F59C34BD897773,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23FA-6387-7602-000000009902}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-23FA-6387-7602-000000009902}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23FA-6387-7602-000000009902}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.917{E56ECBBF-23FA-6387-7602-000000009902}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000393413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.541{E56ECBBF-23FA-6387-7502-000000009902}24003172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.369{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2FF1425F3E425682206C1314EBE2C1,SHA256=E7D679266CFEFB62D0D67300193D587E2996CA3F00E6EF251C1205B499437465,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23FA-6387-7502-000000009902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-23FA-6387-7502-000000009902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23FA-6387-7502-000000009902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.354{E56ECBBF-23FA-6387-7502-000000009902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000839910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:52.331{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54093-false10.0.1.12-8089- 354300x8000000000000000839909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:51.556{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54092-false10.0.1.12-8000- 23542300x8000000000000000393431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:55.525{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1E1A33D47F407A729254E3EEEB4C88,SHA256=C85ADF19116B6FBA2CAFCEDEC114A312F963B0A08BFC0495CA2951F33B18D567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:55.602{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAAB76176D1194FB492BC55EFF4BF202,SHA256=4A43123DD6DC1CF5F029B4CB81AB46FE02BCCFA23159D13050FF66AD91508E68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:55.181{E56ECBBF-23FA-6387-7602-000000009902}16243340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:55.160{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23FA-6387-7602-000000009902}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:55.160{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23FA-6387-7602-000000009902}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:55.160{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23FA-6387-7602-000000009902}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 23542300x8000000000000000393449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.635{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE939D8E50DF77F1480B61670A96AA5,SHA256=AE7AB00DE5CD118F90B04D26801696F3A205C4767C32AB65A4EF8A338C2C4B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:56.700{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E5EFEDC0DDA3CB1C6B9F961F404AF0,SHA256=EFE6B8499E7BD1FFB37D827F49751F22663B7746953582FB62600D03D47C38A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.129{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23FC-6387-7702-000000009902}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.129{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23FC-6387-7702-000000009902}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.129{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23FC-6387-7702-000000009902}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 23542300x8000000000000000393445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.103{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14E6FB20FE93A2EC0235584278C1D8DD,SHA256=DE6FE3C275553F8934E8B406BF0904F38C3E088E2C339697329EB66203017923,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.013{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23FC-6387-7702-000000009902}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.011{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.011{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.011{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.011{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.011{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.011{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.010{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.010{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.010{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-23FC-6387-7702-000000009902}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.010{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23FC-6387-7702-000000009902}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.010{E56ECBBF-23FC-6387-7702-000000009902}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:56.229{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F260A74817FEA5AE7E6D85E560E902C2,SHA256=8E6295263A9F25F56E7CBDD02606ADABC315CE17E662B5D64556F0C91A87AA45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:57.718{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92AD84B09DD5D0E26CF9BB566CC5788,SHA256=5769B4DCB326B1D3583A59DBEF169B8E3E84C60C3AE7A081EF9BB59835CB7FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:57.794{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B4E17DFE855DC7291FC1F681360F2F,SHA256=5F3B818024BC9382BB21BCA863A63FED100941E27087D39BBA686B03598F0B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:58.794{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863333915460704B2F75B271E08AA4DE,SHA256=DD4E82FACFABB66A1AACE4E1A14A0B0715DC9ED5D9085F50669634A85976FC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.836{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4011BB96E82F6EAFD3C92B711CC2DD23,SHA256=CA254A3D0118F7C48497624D9B6D223F79C0824D840917E3635B85D36D94014E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:55.941{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50489-false10.0.1.12-8000- 10341000x8000000000000000839940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.413{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.409{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.402{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.400{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.391{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.388{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.386{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.377{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.367{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.353{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.348{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.346{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.306{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.299{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.278{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.271{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.255{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.232{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.222{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.211{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.201{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.182{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.168{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.069{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.061{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000393453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:59.913{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7792BE12305D2C17277D4EAFF4AA78AC,SHA256=0A9A59BD7B2EFA9F4A95DDF0A8DFE0CE40AF782DCD7831AD3CF430D3CDD76A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:59.905{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2AD10D3E082243E64C92DFFE03F687,SHA256=EE2A6E2EDE00EA3C3CA8B0785A01870E4E9AAECCA6C62823EE125B6861113B2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:56.619{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54094-false10.0.1.12-8000- 10341000x8000000000000000839942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:59.133{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:00.986{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA5B2E81A318EEB939A32B5F4391A71,SHA256=ACD9AE164B3E68E140A631BB4DE0117C483131450C8E68D7F0D334DF77D564EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:01.077{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F1CCD0E53FECA46BE8BF7900CF35CA,SHA256=32B3BB6370426F0E3087B8B55B39AABFE6E0B1100EB2F6F8B2A801A71B97B452,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:01.857{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:01.857{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:01.857{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:01.841{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3100-000000009802}2952C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:01.695{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:01.693{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:01.690{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:01.686{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:01.685{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:01.682{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:01.682{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:01.173{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:01.172{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000393455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:02.158{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAEE38D85D12BF04125E1AAA3EE3C0F,SHA256=5DDC9CD9EDB126C2997962DAEB8ABA6ECC2DC095ACD6A38AD9623D0170368193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:02.062{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CEBD22005EAF2C26DFFBD8BD1D55B3,SHA256=EDD6B2BDC2C61390C4D484A00815A3B2399AC1E265DE92DFFC53D24885C47950,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.666{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.664{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.662{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.660{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.659{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.657{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.656{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.655{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.653{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.650{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.648{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.642{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.639{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.633{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.627{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.626{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.613{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.606{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.597{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.590{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.581{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.551{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.543{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.526{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.511{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.503{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.495{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.483{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.477{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x8000000000000000393456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:03.231{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247F05BA7278002195E020B097634A97,SHA256=909FBA7D5434FFC9883B198DA89128CDB0DD5781B68E8399CCF5BD49CF384325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:03.150{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630DF4E2C83A91C24BCE6A2DCDDEAFA2,SHA256=69D2680F83121D79BEC055E53D8E3347F59A27796EA95D4A2C1266D504B1EBA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:01.849{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50490-false10.0.1.12-8000- 23542300x8000000000000000393486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:04.503{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B574DBCF05FBD210E8AEF18BBCDE8A5,SHA256=CB95C0FAE1FA7B31AF9B99A0A3D7A0A1EECF18758D84E87E19CDA5D396BDE963,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:02.548{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54095-false10.0.1.12-8000- 23542300x8000000000000000839961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:04.229{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517D9A77912BFADE5F0FF6E28D293966,SHA256=A81AA2A509D0CB96630A22FDA6624F7687E56573357B372F279D1C5D4BEB87BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:05.729{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51534EE07CD53186A57CCDB658EB819C,SHA256=77D279D41055A445CB072E03668393A6E005D1A22D75FB317F0269561ACA17BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.858{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2E501AC2DA5E0BB5D325188E45B7B909,SHA256=FE5B26B0964230C96DB2017A3E4FC516E4254D7EA2EA41069B738B0610920E74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.724{8A63456F-2405-6387-7702-000000009802}38762868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.524{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2405-6387-7702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.524{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.524{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.524{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.524{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.524{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.524{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.524{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.524{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.524{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2405-6387-7702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.524{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.524{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2405-6387-7702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.525{8A63456F-2405-6387-7702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.321{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752998A5D49C3F77540DC59D84CBD05B,SHA256=5A460E127755BDBACF178A0F9F7813A4A56B1C167ED614D3AE07EBE8628495C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.024{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2405-6387-7602-000000009802}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.024{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.024{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.024{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.024{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.024{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.024{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.024{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.024{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.024{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.024{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2405-6387-7602-000000009802}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.024{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2405-6387-7602-000000009802}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.025{8A63456F-2405-6387-7602-000000009802}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:06.821{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D2614AFA1891156B248388A4D96601,SHA256=E565F25CF8057A3B148A51D9A190FFD6A76EFFE375DC02E25103852CC16372DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000840006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:06.679{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C19106BEE9F1F973300EB192965648E,SHA256=2F3113E9C467C1D5677D1B970F5A376B18E29BECE2B6A5CBB155F59774A7A1F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:06.185{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2406-6387-7802-000000009802}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:06.185{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:06.185{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:06.185{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:06.185{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:06.185{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:06.185{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:06.185{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:06.185{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:06.185{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:06.185{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2406-6387-7802-000000009802}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:06.185{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2406-6387-7802-000000009802}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:06.187{8A63456F-2406-6387-7802-000000009802}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:06.076{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55BC52EE03405754AF273FF5937D0FDE,SHA256=9287EF1D3468954E8ADC87439C8A2AB1FE8690FDE33D15E40266E8B03B827D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:07.906{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CAEB404C7B3B3152835AA6857FA2591,SHA256=DB929C49772F8DDEDE927F7E2FF39BC71BF839BA3BAA996AC060FB6B6AE3860A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000840010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:07.808{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8142BDB05F368F6DDDDC2A2891560FA,SHA256=FD55F07B1DAAA811CFC8E022B64FE86D3CB118A4C9ACD6E5584354302D71FAB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000840009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.834{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54096-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000840008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:05.834{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54096-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 23542300x8000000000000000840007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:07.144{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9FA19D99CE28F5379BEF33C3F78980E4,SHA256=5BDCFEE8113DF1A3095205AC7D11C3584111FA46B8BC633073D2A13C6479C2B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:08.990{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8286B9578DF3060F61CCAFBF7E27880B,SHA256=29B2E62863117BF1E8813E5194DC26310516912472BBE2DB27A2897189E7D747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000840025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:08.895{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9777D4DB03F92D2DC39BA8F6B855A6B,SHA256=382472F7C0A81A7284D6974AEB9469D7878C879C68EAB3215E9926EF0B774FB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:08.581{8A63456F-2408-6387-7902-000000009802}41441924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:08.392{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2408-6387-7902-000000009802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:08.392{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:08.392{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:08.392{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:08.392{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:08.392{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:08.392{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:08.392{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:08.392{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:08.392{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:08.392{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2408-6387-7902-000000009802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:08.392{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2408-6387-7902-000000009802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000840011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:08.393{8A63456F-2408-6387-7902-000000009802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000840054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:07.666{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54097-false10.0.1.12-8000- 10341000x8000000000000000840053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.709{8A63456F-2409-6387-7B02-000000009802}43244588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.560{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2409-6387-7B02-000000009802}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.560{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.560{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.560{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.560{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.560{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.560{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.560{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.560{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.560{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.560{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2409-6387-7B02-000000009802}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.560{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2409-6387-7B02-000000009802}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000840040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.562{8A63456F-2409-6387-7B02-000000009802}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000840039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.294{8A63456F-2409-6387-7A02-000000009802}31722560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.060{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2409-6387-7A02-000000009802}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.060{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2409-6387-7A02-000000009802}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.060{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2409-6387-7A02-000000009802}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.060{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.060{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.060{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.060{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.060{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.060{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.060{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.060{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.060{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000840026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:09.061{8A63456F-2409-6387-7A02-000000009802}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000840055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:10.057{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB33ADA74CDDE36A0C395522E616424B,SHA256=67FB0705F97529FEBDB4BD6E5CDA8EF2547FCBE080AD6F241A172AE4DD492EAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:06.981{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50491-false10.0.1.12-8000- 23542300x8000000000000000393492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:10.046{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B3275CB0A888647EF6CAA7883E05E1,SHA256=9C1026EF183AB835DA20EBAC53FCFEF01CA939906E9B7581151BB144A38E0456,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.958{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-240B-6387-7C02-000000009802}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.955{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-240B-6387-7C02-000000009802}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.955{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-240B-6387-7C02-000000009802}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.843{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-240B-6387-7C02-000000009802}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.843{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.843{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.843{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.843{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.843{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.843{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.843{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.843{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.843{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.843{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-240B-6387-7C02-000000009802}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.843{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-240B-6387-7C02-000000009802}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000840057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.844{8A63456F-240B-6387-7C02-000000009802}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000840056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:11.161{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF1DB7D608D0D7EA2EF9C2400DCF068,SHA256=F778FBF56A3B5414DBB23A0BE2F0765CC3B54609AED6A3DBE1D113FCA34CE444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:11.130{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6F036D8A9E3A9F545D62262A9E41B4,SHA256=E80AED59DC264AE042D5506375E5A917A6737A12B31196A93F955FFC9F67DFC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:12.218{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65CF915F9504ED157018077B798EC32,SHA256=25C4AD69D834E7AB03732748563ABFB783E5F483E8DE8212FF2AC67D9C8C785D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000840074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:12.874{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AED7DE1D8B91BA6423CE0A88240E5160,SHA256=323BC9B52B5BBFB1C52928B569DC1CA5AD483CE8D5E7F491190F758FB6BD5F13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000840073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:12.241{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E218E342F9D86AACA4EB1E0884C225,SHA256=519A626CEB74A6410318D70568AF8C12A4573378519A42BD3393D6DFF0158F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:13.300{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E933A3239ED5E9AA8996A37C8E9558,SHA256=C58B979F4E78EF0C20790C7AE9CC4E9C316FC568B7099F33FEEC9F300535AA64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000840075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:13.337{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7CBC2D7DBD600035CC29D444FBA75C,SHA256=C047174878E555B418EA1282409BD5C9C0CEDA2219A24C3F5AAA1557F78AC940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:14.363{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDD261074AE43F890EDC94363988DB2,SHA256=2A1D53590AC91936A5915E01DB5B96903CD30FE7D1FA9B5D5D5214F93088BE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000840076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:14.406{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06715CE405C37B2F9EFDEDD60BC5362,SHA256=3134983960D35BFD613B09337EA09A9C07EBA1592C6D7FC66CA649A4EC0A5464,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:12.912{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50492-false10.0.1.12-8000- 23542300x8000000000000000393498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:15.421{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440BF57D8AEC5D6A540D14BA14660F07,SHA256=80056F834569B9DA05B19D82E0521DB93D6E6D8D1B5F6700957AFAB59CDB5BFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000840078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:13.570{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54098-false10.0.1.12-8000- 23542300x8000000000000000840077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:15.489{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2BBFCA5EE0ADC87CC736412F1E8C3D9,SHA256=FFCBDBE456BB89F24469E06D2B05A1644A2091A7209EA6ADD7BF203068C0C5D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:16.483{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E2B8F5B4D853F9D5688CDAC332ADE3,SHA256=308C99C67F0FF4C4DB0332D5630C8331ED9AB2B48D4967F770ECEA4C6E8005C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000840079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:16.574{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53444581B12E9D93E520645104A618C,SHA256=DC1C8C8111925BE48FF9896B6B5AAE1FC81CDAAA8FB3C4F22606B8868A356B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:17.568{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84145AC2D74E895F1C40B1EE358273E,SHA256=301B816F6794769464C2C0DB082FE27B731ABFB9E36D332B9D36959B32D49F6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:17.797{8A63456F-1471-6387-1400-000000009802}10921380C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000840080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:17.641{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21F9D101840AE8574172CD68D90AD83,SHA256=612D0D92DE7728D37D91C83471428179B3F6D206C996FD4EB843BB8A9A1C81DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:17.118{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-064MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:18.637{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFE5AA99FB4982975E834C72AB25A49,SHA256=567565A095FAAE740CA4F6AC001204C60B8CF9CEF404D13DDF8C3C8597817CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000840109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.984{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B88EEE46C6DA8FA9CE55D6BEB15FDB8,SHA256=B57838E77E652301E7BF5447068E63F903B7BAAD62FA7F1B1BFF149A2A43B322,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.744{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 23542300x8000000000000000840107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.692{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD45373E201D1A70DE4F402940F01C7,SHA256=7658ABFBC759169668405BF67F52576B2EDC452D41FE7E6871D2D13CC337030D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:18.124{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-065MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.269{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.260{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.250{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.246{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.235{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.232{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.230{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.224{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.215{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.210{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.207{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.202{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.176{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.170{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.156{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.150{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.144{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.134{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.125{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.118{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.110{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.103{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.095{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.045{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.042{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 23542300x8000000000000000393515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:19.703{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5B7A005426F02E709AE768C3E32F0B,SHA256=F9D1E10C636C0FEAD0AB63EE12887BC69F400743BF2238757BBADB27901CFB4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000840112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:19.757{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A36BA7F8B96F9D10111860A1B52EE56,SHA256=303288473F3B0F4F6AD75317E8DF036AA8CBD12ACFC551E872D1CE73B477E07E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000840111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:19.723{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=96333484BEE995A8A3E4CAC493C519D2,SHA256=AF14FE6C459C7AAEFFE9347DCEFFFA4D7C49909BD82956CABF3CAFF4C660A13A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000393514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:36:19.410{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000393513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:36:19.410{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003d23db) 13241300x8000000000000000393512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:36:19.410{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90496-0xd123fc5d) 13241300x8000000000000000393511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:36:19.410{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049f-0x32e8645d) 13241300x8000000000000000393510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:36:19.410{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a7-0x94accc5d) 13241300x8000000000000000393509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:36:19.410{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000393508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:36:19.410{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003d23db) 13241300x8000000000000000393507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:36:19.410{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90496-0xd123fc5d) 13241300x8000000000000000393506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:36:19.410{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049f-0x32e8645d) 13241300x8000000000000000393505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:36:19.410{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a7-0x94accc5d) 354300x8000000000000000840110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:17.235{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.187.221.34-51103-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local3389ms-wbt-server 23542300x8000000000000000393516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:20.788{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEE0530287D1E79816DBAE485D85783,SHA256=47C0913E5332451F4EE35FBEC4FC4F36FA5C66C02BA245BB5707EF484F337705,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000840163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:20.980{8A63456F-146C-6387-0100-000000009802}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000840162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:20.980{8A63456F-146C-6387-0100-000000009802}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000840161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:20.980{8A63456F-146C-6387-0100-000000009802}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x8000000000000000840160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:20.980{8A63456F-146C-6387-0100-000000009802}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000840159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:20.980{8A63456F-146C-6387-0100-000000009802}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000840158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:20.980{8A63456F-146C-6387-0100-000000009802}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 10341000x8000000000000000840157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.980{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.980{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.980{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.965{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.965{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.965{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.965{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.965{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.965{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.965{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.965{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.965{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.965{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000840144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.965{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000840143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.965{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000840142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.965{8A63456F-2414-6387-7D02-000000009802}3296728C:\Windows\System32\smss.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000840141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.964{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e72SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{8A63456F-2414-6387-7D02-000000009802}3296C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f4 0000007c 10341000x8000000000000000840140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.949{8A63456F-146C-6387-0200-000000009802}3244852C:\Windows\System32\smss.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6ce4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.949{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9bf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.933{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.933{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.933{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.933{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.933{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.933{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.933{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.933{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.933{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.933{8A63456F-2414-6387-7D02-000000009802}3296728C:\Windows\System32\smss.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000840128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.937{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e72SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{8A63456F-2414-6387-7D02-000000009802}3296C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f4 0000007c 10341000x8000000000000000840127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.918{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.918{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.918{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.918{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.918{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.918{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.918{8A63456F-146C-6387-0200-000000009802}3244852C:\Windows\System32\smss.exe{8A63456F-2414-6387-7D02-000000009802}3296C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6ce4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.918{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.918{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.918{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.918{8A63456F-146C-6387-0200-000000009802}324496C:\Windows\System32\smss.exe{8A63456F-2414-6387-7D02-000000009802}3296C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000840116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.926{8A63456F-2414-6387-7D02-000000009802}3296C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000f4 0000007c C:\Windows\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e72SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x8000000000000000840115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.840{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C0B35020D4ED7341247AD70E554E99,SHA256=CA8B844DDE00BCCFC4D523163BB209772CFE55E5E7764637C61E9A6FF6049559,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.770{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000840113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:20.769{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 23542300x8000000000000000393519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:21.869{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940E7999A79036259F0FF18FE59D1874,SHA256=37701DCB043F888F4B40CC3449E794B3C4EEB04FA00F1D47E40CCD782DC1AA7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.897{8A63456F-2415-6387-8002-000000009802}8404632C:\Windows\system32\LogonUI.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.897{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.897{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.882{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000840264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.882{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0EE4AFBD398C5067E8F610C6E3952A2,SHA256=0E974DCE899DE625C028816BB394261F5D70C40F51AAC88D02E354E406583443,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.866{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.866{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000840261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.851{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=40EABEAFF8CD34CAD96102C75C013CFC,SHA256=994AFD84B3730AAF5662BF9EB19CCCF0EBBB5DA3CA9DF504C6AD4F457E30A552,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:18.827{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50493-false10.0.1.12-8000- 23542300x8000000000000000393517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:21.482{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=09DB451BC4D322DC84969D178680883C,SHA256=2F6C8F580DFD48025FA73D335D176CBE97FB743831980332D752DAB345CBCF97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.748{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.748{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.748{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.747{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.746{8A63456F-1471-6387-1600-000000009802}12801140C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.746{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000840254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.732{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C02BB13253012F15629096CD9D6AB99,SHA256=0613927C1BB0E458540F4DF6913B21560DDCDB4E9812C3220734A87E48A0B383,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.696{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.696{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.696{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.696{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.696{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.696{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.696{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.696{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.696{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.658{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.658{8A63456F-2414-6387-7F02-000000009802}41724268C:\Windows\system32\winlogon.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000840242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.660{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-2{8A63456F-2415-6387-23D3-1E0000000000}0x1ed3232SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000840241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.658{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+1f148|C:\Windows\system32\lsasrv.dll+1e371|C:\Windows\system32\lsasrv.dll+1d0ae|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.658{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+1f148|C:\Windows\system32\lsasrv.dll+1e371|C:\Windows\system32\lsasrv.dll+1cb7e|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.658{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+1b566|C:\Windows\system32\lsasrv.dll+1cb15|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.641{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.641{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.641{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.641{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.594{8A63456F-1471-6387-1600-000000009802}12801140C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.594{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.594{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.594{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.572{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.572{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.572{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.572{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.572{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.572{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.572{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.572{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.572{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.572{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.572{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.572{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.572{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.572{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.572{8A63456F-2414-6387-7F02-000000009802}41724584C:\Windows\system32\winlogon.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000840215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.571{8A63456F-2415-6387-8002-000000009802}840C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a6d055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000840214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.554{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.554{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.554{8A63456F-1471-6387-1600-000000009802}12801140C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.538{8A63456F-1471-6387-1600-000000009802}12801140C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.538{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.538{8A63456F-1471-6387-1600-000000009802}12801140C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.538{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.396{8A63456F-2414-6387-7E02-000000009802}43281180C:\Windows\system32\csrss.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.359{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.359{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.357{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.356{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.356{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.356{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.324{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.324{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.291{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000840197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.289{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000840196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.285{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000840195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.283{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000840194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.281{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000840193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.279{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000840192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.279{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 23542300x8000000000000000840191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.182{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495E01B842DA1BC8224C279808CF0736,SHA256=FDAAB378D99F242A85D505BE191FF707A953B6DD1966C82CF2EDC5E0EA09DED1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.140{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.139{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.139{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.138{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.138{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.138{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.137{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.136{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.135{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.135{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.132{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.131{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.131{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.131{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.129{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:21.129{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 354300x8000000000000000840174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.698{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54099-false10.0.1.12-8000- 354300x8000000000000000840173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.450{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-56294-false127.0.0.1-53domain 354300x8000000000000000840172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.319{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56294- 354300x8000000000000000840171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.319{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98c0:e4d5:88aa:ffff-56294-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000840170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:18.289{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local56294- 13241300x8000000000000000840169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:20.980{8A63456F-146C-6387-0100-000000009802}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000840168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:20.980{8A63456F-146C-6387-0100-000000009802}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000840167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:20.980{8A63456F-146C-6387-0100-000000009802}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x8000000000000000840166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:20.980{8A63456F-146C-6387-0100-000000009802}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000840165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:20.980{8A63456F-146C-6387-0100-000000009802}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000840164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:20.980{8A63456F-146C-6387-0100-000000009802}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 23542300x8000000000000000393520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:22.953{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549D8E1F1B08DB8F1D000D7294E802EB,SHA256=B8487A6EE9A0EDDE44D182418F23BD249E832016CFDE69692CDF6337B7E61FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000840404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.979{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F4FFE92B513EE7FA88B532A276ED48,SHA256=8AC1055D5D8BF6A61B4DAA0DFDFDE7CED954C9E91DC5CE8A48D987E1610BBA13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.977{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.975{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.975{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.975{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.974{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.974{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.974{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 23542300x8000000000000000840396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.973{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450FC05229235263B0BF499790790984,SHA256=5971439187A52EA0C0A3395733A9D035AAB2E7447CCD97531C952C7990F075C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.972{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.972{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.955{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2416-6387-8202-000000009802}620C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.877{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2416-6387-8202-000000009802}620C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.877{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2416-6387-8202-000000009802}620C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd52|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.861{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+20c1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.814{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.814{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.752{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.752{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000840385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.752{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000840384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.752{8A63456F-1471-6387-1600-000000009802}12801568C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.752{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.752{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.752{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.721{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000840379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.721{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000840378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.721{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000840377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.721{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.721{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.721{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.721{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.721{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.721{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.721{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.721{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.689{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.689{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.689{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.689{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.689{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.689{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+1f148|C:\Windows\system32\lsasrv.dll+1e371|C:\Windows\system32\lsasrv.dll+1cb7e|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.689{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+1b566|C:\Windows\system32\lsasrv.dll+1cb15|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.658{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.658{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.658{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.658{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.658{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.658{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.658{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.658{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.658{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000840353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.611{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B504234CF510EDF357050270C00424,SHA256=C99273EFB7C352AE10869AD2ABDE0E69AC5BCC91F757EC7E65628816A0B1DDAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000840352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.596{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=887177990C98ACA1E9CCC49D9F4D22C0,SHA256=BE29294FC9E3DEDE185D57A4A33DF376953B278FBA54C79D9DC425D579D7F88C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.510{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.510{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.510{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-1471-6387-0F00-000000009802}3764840C:\Windows\System32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\termsrv.dll+a1327|c:\windows\system32\termsrv.dll+6aa08|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.480{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.464{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.464{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.464{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.464{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.464{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000840327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.464{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.464{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000840325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-ConnectPipe2022-11-30 09:36:22.464{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-510c5796-f610-4752-80bd-a4be320773a8C:\Windows\System32\svchost.exe 17141700x8000000000000000840324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-CreatePipe2022-11-30 09:36:22.464{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-510c5796-f610-4752-80bd-a4be320773a8C:\Windows\System32\svchost.exe 10341000x8000000000000000840323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.464{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.464{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.464{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.448{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.448{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.448{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.448{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.448{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.448{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.448{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.448{8A63456F-1471-6387-0F00-000000009802}3764944C:\Windows\System32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\termsrv.dll+a1327|c:\windows\system32\termsrv.dll+6aa08|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.448{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.448{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000840310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-ConnectPipe2022-11-30 09:36:22.338{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-9c9e7f2b-6814-479c-8f85-bc6866cd37f2C:\Windows\System32\svchost.exe 17141700x8000000000000000840309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-CreatePipe2022-11-30 09:36:22.338{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-9c9e7f2b-6814-479c-8f85-bc6866cd37f2C:\Windows\System32\svchost.exe 10341000x8000000000000000840308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.323{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.307{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.291{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.291{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.291{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.291{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000840302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-ConnectPipe2022-11-30 09:36:22.231{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-d3aeecf7-97a9-4c2a-8a0e-f3a473e55cf6C:\Windows\System32\svchost.exe 17141700x8000000000000000840301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-CreatePipe2022-11-30 09:36:22.231{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-d3aeecf7-97a9-4c2a-8a0e-f3a473e55cf6C:\Windows\System32\svchost.exe 10341000x8000000000000000840300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.231{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000840299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.231{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000840298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-ConnectPipe2022-11-30 09:36:22.230{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-e0bde028-6319-440d-a408-8b631d1c418aC:\Windows\System32\svchost.exe 17141700x8000000000000000840297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-CreatePipe2022-11-30 09:36:22.230{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-e0bde028-6319-440d-a408-8b631d1c418aC:\Windows\System32\svchost.exe 10341000x8000000000000000840296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.229{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.228{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.227{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.224{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.224{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.223{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.223{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.223{8A63456F-1471-6387-0F00-000000009802}3764656C:\Windows\System32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\termsrv.dll+a1327|c:\windows\system32\termsrv.dll+6a6ed|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.222{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.222{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.222{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.222{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.222{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.221{8A63456F-1471-6387-1600-000000009802}12801140C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.221{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.221{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.220{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.219{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.217{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.217{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.214{8A63456F-1471-6387-1600-000000009802}12801568C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.157{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.119{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.119{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.119{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.017{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.017{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.017{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8002-000000009802}840C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000393549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.633{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.631{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.629{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.627{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.625{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.623{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.621{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.620{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.617{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.613{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.611{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.605{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.591{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.583{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.577{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.573{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.561{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.555{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.547{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.539{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.533{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.511{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.504{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.499{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.492{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.486{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.479{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.472{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:23.470{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000840721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.978{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.978{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.978{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000840718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.978{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.978{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000840716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.977{8A63456F-1471-6387-1200-000000009802}7761076C:\Windows\System32\svchost.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000840715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-ConnectPipe2022-11-30 09:36:23.977{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-c0378a85-8112-4f1d-8fed-b0cedfc6c19aC:\Windows\System32\svchost.exe 17141700x8000000000000000840714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-CreatePipe2022-11-30 09:36:23.977{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-c0378a85-8112-4f1d-8fed-b0cedfc6c19aC:\Windows\System32\svchost.exe 10341000x8000000000000000840713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.977{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.977{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.977{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.976{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.975{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.975{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.974{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2416-6387-8202-000000009802}620C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.974{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2416-6387-8202-000000009802}620C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.974{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2416-6387-8202-000000009802}620C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.973{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.973{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.973{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.969{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.969{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.949{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000840698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.948{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000840697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.931{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735D436FBD8166AE1F6570416A79A4C5,SHA256=E4A850B68784EE213A217AB4DD805F27B6AEE251D742A96EB583D5BCC8F8FF8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.895{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.894{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.894{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.876{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.876{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.874{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+3a1a|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.869{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.865{8A63456F-1471-6387-1600-000000009802}12805044C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\sessenv.dll+3de88|c:\windows\system32\sessenv.dll+f881|c:\windows\system32\sessenv.dll+677c|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.851{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.851{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.851{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.845{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.841{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.841{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.836{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.836{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.835{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 23542300x8000000000000000840679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.820{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E7BD1111AFCBAB18D91D2C92C0D06B,SHA256=F07EDF304924E390B34A4D95618B4613BD64C9145CB52A162A7DB41C13C04163,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.788{8A63456F-2417-6387-8A02-000000009802}43844220C:\Windows\system32\conhost.exe{8A63456F-2417-6387-8802-000000009802}3488C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000840677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-ConnectPipe2022-11-30 09:36:23.745{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-05b9e218-1c3e-4adc-a587-a2bddf115988C:\Windows\System32\svchost.exe 17141700x8000000000000000840676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-CreatePipe2022-11-30 09:36:23.745{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-05b9e218-1c3e-4adc-a587-a2bddf115988C:\Windows\System32\svchost.exe 10341000x8000000000000000840675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.732{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.732{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.732{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.724{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.724{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.721{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.684{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.684{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.684{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.684{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.684{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-2417-6387-8B02-000000009802}3660C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.684{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.684{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.684{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.684{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.684{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2417-6387-8B02-000000009802}3660C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.684{8A63456F-1471-6387-1600-000000009802}12801140C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8B02-000000009802}3660C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+ac80|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+107e6|c:\windows\system32\UBPM.dll+d3c9|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.684{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.684{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2417-6387-8A02-000000009802}4384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.678{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.678{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.678{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.678{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.677{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.663{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.662{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.660{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.660{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.659{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.659{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.659{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2417-6387-8802-000000009802}3488C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.658{8A63456F-1471-6387-1600-000000009802}12801816C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8802-000000009802}3488C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000840643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.655{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6378EAF10D57EEAAF427BA6A0DAACF3A,SHA256=FDE74D48591150DEF11F7D94D769DA571745441D38BAA52A81B560118698FF9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.654{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.653{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.653{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.653{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.653{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.650{8A63456F-146E-6387-0A00-000000009802}636716C:\Windows\system32\services.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.636{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.581{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.565{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.565{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.565{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.565{8A63456F-146E-6387-0A00-000000009802}636368C:\Windows\system32\services.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1dc37|C:\Windows\system32\services.exe+17f38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x8000000000000000840630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.565{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1f96d7\Description@%%SystemRoot%%\system32\WpnUserService.dll,-2 13241300x8000000000000000840629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.565{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1f96d7\FailureActionsBinary Data 13241300x8000000000000000840628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.565{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1f96d7\Security\SecurityBinary Data 13241300x8000000000000000840627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.565{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1f96d7\DisplayNameWindows Push Notifications User Service_1f96d7 13241300x8000000000000000840626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localT1031,T1050SetValue2022-11-30 09:36:23.565{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1f96d7\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000840625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.565{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1f96d7\ErrorControlDWORD (0x00000000) 13241300x8000000000000000840624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localT1031,T1050SetValue2022-11-30 09:36:23.565{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1f96d7\StartDWORD (0x00000003) 13241300x8000000000000000840623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.565{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1f96d7\TypeDWORD (0x000000e0) 13241300x8000000000000000840622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.565{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1f96d7\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-14000 13241300x8000000000000000840621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.565{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1f96d7\FailureActionsBinary Data 13241300x8000000000000000840620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.565{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1f96d7\Security\SecurityBinary Data 13241300x8000000000000000840619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.564{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1f96d7\DisplayNameUser Data Access_1f96d7 13241300x8000000000000000840618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localT1031,T1050SetValue2022-11-30 09:36:23.564{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1f96d7\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000840617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.564{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1f96d7\ErrorControlDWORD (0x00000000) 13241300x8000000000000000840616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localT1031,T1050SetValue2022-11-30 09:36:23.564{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1f96d7\StartDWORD (0x00000003) 13241300x8000000000000000840615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.564{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1f96d7\TypeDWORD (0x000000e0) 13241300x8000000000000000840614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.564{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1f96d7\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-10002 13241300x8000000000000000840613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.564{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1f96d7\FailureActionsBinary Data 13241300x8000000000000000840612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.564{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1f96d7\Security\SecurityBinary Data 13241300x8000000000000000840611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.563{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1f96d7\DisplayNameUser Data Storage_1f96d7 13241300x8000000000000000840610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localT1031,T1050SetValue2022-11-30 09:36:23.563{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1f96d7\ImagePathC:\Windows\System32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000840609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.563{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1f96d7\ErrorControlDWORD (0x00000000) 13241300x8000000000000000840608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localT1031,T1050SetValue2022-11-30 09:36:23.563{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1f96d7\StartDWORD (0x00000003) 13241300x8000000000000000840607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.563{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1f96d7\TypeDWORD (0x000000e0) 13241300x8000000000000000840606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.563{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1f96d7\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-15000 13241300x8000000000000000840605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.563{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1f96d7\FailureActionsBinary Data 13241300x8000000000000000840604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.563{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1f96d7\Security\SecurityBinary Data 13241300x8000000000000000840603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.562{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1f96d7\DisplayNameContact Data_1f96d7 13241300x8000000000000000840602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localT1031,T1050SetValue2022-11-30 09:36:23.562{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1f96d7\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000840601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.561{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1f96d7\ErrorControlDWORD (0x00000000) 13241300x8000000000000000840600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localT1031,T1050SetValue2022-11-30 09:36:23.561{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1f96d7\StartDWORD (0x00000003) 13241300x8000000000000000840599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.561{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1f96d7\TypeDWORD (0x000000e0) 13241300x8000000000000000840598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.561{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1f96d7\Description@%%SystemRoot%%\system32\APHostRes.dll,-10001 13241300x8000000000000000840597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.561{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1f96d7\FailureActionsBinary Data 13241300x8000000000000000840596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.561{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1f96d7\Security\SecurityBinary Data 13241300x8000000000000000840595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.560{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1f96d7\DisplayNameSync Host_1f96d7 13241300x8000000000000000840594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localT1031,T1050SetValue2022-11-30 09:36:23.560{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1f96d7\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000840593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.560{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1f96d7\ErrorControlDWORD (0x00000000) 13241300x8000000000000000840592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localT1031,T1050SetValue2022-11-30 09:36:23.560{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1f96d7\StartDWORD (0x00000002) 13241300x8000000000000000840591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.560{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1f96d7\TypeDWORD (0x000000e0) 13241300x8000000000000000840590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.560{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1f96d7\Description@%%SystemRoot%%\system32\cdpusersvc.dll,-101 13241300x8000000000000000840589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.560{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1f96d7\FailureActionsBinary Data 13241300x8000000000000000840588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.560{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1f96d7\Security\SecurityBinary Data 10341000x8000000000000000840587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.557{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.557{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.557{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.557{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000840583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.556{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1f96d7\DisplayNameCDPUserSvc_1f96d7 13241300x8000000000000000840582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localT1031,T1050SetValue2022-11-30 09:36:23.556{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1f96d7\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000840581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.556{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1f96d7\ErrorControlDWORD (0x00000001) 13241300x8000000000000000840580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localT1031,T1050SetValue2022-11-30 09:36:23.555{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1f96d7\StartDWORD (0x00000002) 13241300x8000000000000000840579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:23.555{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1f96d7\TypeDWORD (0x000000e0) 23542300x8000000000000000840578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.552{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D670DF6F6A4ABF5A21597CD5B212415,SHA256=37B4FCC32487E17C6E821D64BE8B26261FB2B4E9DE5793FEB3E5AB58E3A9534D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.542{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.489{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.489{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.489{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000840573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-ConnectPipe2022-11-30 09:36:23.487{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-6fd61728-fcd3-4140-b5ad-7dddf22ee3eeC:\Windows\System32\svchost.exe 17141700x8000000000000000840572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-CreatePipe2022-11-30 09:36:23.487{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-6fd61728-fcd3-4140-b5ad-7dddf22ee3eeC:\Windows\System32\svchost.exe 10341000x8000000000000000840571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.485{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.487{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.485{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.485{8A63456F-1471-6387-1600-000000009802}12803880C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.484{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.482{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.482{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.411{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.408{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000840562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.408{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000840561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.397{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2416-6387-8202-000000009802}620C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.397{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2416-6387-8202-000000009802}620C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.397{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2416-6387-8202-000000009802}620C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.378{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.378{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.378{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.376{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.375{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.374{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.374{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.374{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.370{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.370{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.295{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.293{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.293{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.290{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.290{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.290{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.290{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000840541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.284{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142D331EDED475195978C2AE86347EDA,SHA256=A94F29D4F9F98D39EC0EB4A885349D1E42679C3EE9E643C3C0335000CF682ED3,IMPHASH=00000000000000000000000000000000falsetrue 18141800x8000000000000000840540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-ConnectPipe2022-11-30 09:36:23.281{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-489c1671-1193-4968-b2f7-6498f66932d4C:\Windows\System32\svchost.exe 17141700x8000000000000000840539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-CreatePipe2022-11-30 09:36:23.281{8A63456F-1471-6387-0F00-000000009802}376\TSVCPIPE-489c1671-1193-4968-b2f7-6498f66932d4C:\Windows\System32\svchost.exe 10341000x8000000000000000840538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.270{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0800-000000009802}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.270{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0800-000000009802}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.267{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0500-000000009802}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.267{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0500-000000009802}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.254{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.254{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.253{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.252{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.249{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.246{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.246{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.246{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.246{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.246{8A63456F-1471-6387-0F00-000000009802}3764840C:\Windows\System32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+1982c|c:\windows\system32\termsrv.dll+2320b|c:\windows\system32\termsrv.dll+22643|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 154100x8000000000000000840524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.238{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 10341000x8000000000000000840523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.241{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.240{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.240{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.240{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.238{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.238{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.238{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.238{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.235{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.235{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.232{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000840512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.212{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.210{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.209{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.209{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.209{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.209{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.208{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.208{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.208{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.198{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.197{8A63456F-1471-6387-1600-000000009802}12801140C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.197{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.173{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.173{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.172{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.172{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.172{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.170{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.170{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.170{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.170{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.169{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.169{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.169{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.168{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.168{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.167{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+4158d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000840485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.167{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000840484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.163{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.163{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.163{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.163{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.162{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.162{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.161{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.162{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.161{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.161{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.161{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.161{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.161{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.161{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.161{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.160{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.160{8A63456F-147F-6387-2500-000000009802}25124232C:\Windows\System32\spoolsv.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\spoolsv.exe+1b6e3|C:\Windows\System32\spoolsv.exe+1b549|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+3582b|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.160{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.160{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.159{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.158{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.158{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.157{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.156{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.155{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.154{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.154{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.153{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.153{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.153{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.153{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.153{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.153{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.153{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.151{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.151{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.151{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.151{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.151{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.151{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.151{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.150{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.150{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.149{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.148{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.148{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.148{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.148{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.148{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.148{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.147{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.147{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.146{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.146{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.145{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.145{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.145{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.144{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.144{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.144{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.144{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.142{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000840422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.141{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000840421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.140{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+37c3|c:\windows\system32\SYSNTFY.dll+1dcb|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.140{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.136{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.135{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.135{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.047{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.031{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.031{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.031{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.031{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.015{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.015{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.015{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.015{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.015{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.015{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:23.015{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:24.496{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0B27DB612A462B0F547603D892DA21,SHA256=6A98651351FC56C89DDC8CC967E3B69E3522BFCDB843762B4B1F6A481B0B1776,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.984{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.984{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.984{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.983{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.979{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.979{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.979{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.973{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.931{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.889{8A63456F-2418-6387-9202-000000009802}5923308C:\Windows\system32\wbem\wmiprvse.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\combase.dll+abec2|C:\Windows\System32\combase.dll+acbee|C:\Windows\System32\combase.dll+ac9ff|C:\Windows\System32\combase.dll+2f268|C:\Windows\System32\combase.dll+2ee80|C:\Windows\System32\combase.dll+3be44|C:\Windows\System32\combase.dll+c2a74|C:\Windows\System32\combase.dll+38f01|C:\Windows\System32\combase.dll+3a850|C:\Windows\System32\combase.dll+4dba|C:\Windows\System32\RPCRT4.dll+d5ff4|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b203|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000840912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.885{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.885{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.781{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.781{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.781{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 23542300x8000000000000000840907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.762{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1897CE69BEF01F1B78215205D5FE2D,SHA256=0FBA3131D641A49131E29BAF07E56CF4C76A157AB7F1FE43E188ACCC1E2C5A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000840906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.757{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D67893C3BD32B1D279FAF91E2AE44BB,SHA256=5DD1785D9B6459B17B88DD286BCE290732CE1D07AC9A001E4D2B00D04A521B87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.756{8A63456F-1471-6387-1600-000000009802}12802868C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+1033a|C:\Windows\system32\wbem\wbemcore.dll+2d14f|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.745{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.735{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.725{8A63456F-1471-6387-1600-000000009802}12803880C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.725{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.709{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.709{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd52|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.709{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.709{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.709{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.709{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.709{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.709{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.709{8A63456F-1471-6387-1600-000000009802}12803880C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+ac80|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.693{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000840890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localT10532022-11-30 09:36:24.687{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask2022-11-17 12:49:16.195 10341000x8000000000000000840889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.671{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000840888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.671{8A63456F-1471-6387-1600-000000009802}1280NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTaskMD5=7A2163BAF11F784E3E14894450E1185D,SHA256=299A7F1EA1B6D7319064263EF354F04C7B1EE1BA5CDE1D75F606F1708CE58615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.671{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-2418-6387-9002-000000009802}2976C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.671{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-2418-6387-9002-000000009802}2976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.658{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8E02-000000009802}4240C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.658{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8E02-000000009802}4240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.658{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8E02-000000009802}4240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.630{8A63456F-1471-6387-1600-000000009802}12805040C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9002-000000009802}2976C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.629{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9002-000000009802}2976C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.584{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.584{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.584{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2416-6387-8202-000000009802}620C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.584{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.584{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0800-000000009802}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.584{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.583{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0500-000000009802}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.583{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.583{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.583{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.583{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2417-6387-8302-000000009802}4972C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2418-6387-8E02-000000009802}4240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2418-6387-8E02-000000009802}4240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2418-6387-9002-000000009802}2976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.582{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2418-6387-9002-000000009802}2976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.580{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-3100-000000009802}2952C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.580{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-3100-000000009802}2952C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.580{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.580{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.580{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.580{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.580{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.580{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.580{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.580{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.580{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.580{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.579{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.579{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.579{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.579{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.579{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.579{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.579{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.579{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.579{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.579{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.579{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.579{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.579{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.579{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.579{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.578{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.578{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.578{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.578{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.578{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.578{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.578{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.577{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.577{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.577{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.577{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.577{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.577{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.577{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.577{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.577{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.577{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.577{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2416-6387-8202-000000009802}620C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-2416-6387-8202-000000009802}620C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0800-000000009802}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0800-000000009802}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0500-000000009802}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146E-6387-0500-000000009802}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.576{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.574{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.574{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.574{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.574{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.574{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.574{8A63456F-2417-6387-8D02-000000009802}23603872C:\Program Files\Aurora-Agent\aurora-agent-util.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x8000000000000000840765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.570{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.473{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.473{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.473{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.354{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.354{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.354{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.354{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.353{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-2418-6387-9002-000000009802}2976C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.353{8A63456F-2418-6387-8F02-000000009802}32684188C:\Windows\system32\userinit.exe{8A63456F-2418-6387-9002-000000009802}2976C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+23e5|C:\Windows\system32\userinit.exe+346e|C:\Windows\system32\userinit.exe+3725|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000840755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.291{8A63456F-2418-6387-9002-000000009802}2976C:\Windows\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\Explorer.EXEC:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=F7FDECA990692D53D7E4E396B0BD711E,SHA256=1F955612E7DB9BB037751A89DAE78DFAF03D7C1BCC62DF2EF019F6CFE6D1BBA7,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 10341000x8000000000000000840754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.268{8A63456F-1471-6387-1600-000000009802}12805040C:\Windows\system32\svchost.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.268{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.249{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.249{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.248{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.248{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.246{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.245{8A63456F-2414-6387-7F02-000000009802}41724728C:\Windows\system32\winlogon.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+ea76|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000840746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.245{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\System32\userinit.exe10.0.14393.0 (rs1_release.160715-1616)Userinit Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationUSERINIT.EXEC:\Windows\system32\userinit.exeC:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=C1B1FFC800BE2F31EB2CF8CB40629C69,SHA256=CFC6A18FC8FE7447ECD491345A32F0F10208F114B70A0E9D1CD72F6070D5B36F,IMPHASH=BFA137B16F3492AFCA0551687B067C04{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000840745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.240{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000840744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.235{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C35E6AABB499358E60DAC10D1A5563A3,SHA256=D2F749EA338C2E127739CA7161C458831D033DE0491A5F5A0307627AB3A2A5DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.209{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.184{8A63456F-2418-6387-8E02-000000009802}42401544C:\Windows\system32\conhost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.151{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2418-6387-8E02-000000009802}4240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000840740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.486{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54102-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000840739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.486{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54102-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000840738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.478{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54101-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local49666- 354300x8000000000000000840737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.478{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54101-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local49666- 354300x8000000000000000840736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.476{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54100-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 354300x8000000000000000840735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.476{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54100-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 10341000x8000000000000000840734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.066{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.066{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.066{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.065{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.065{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.065{8A63456F-1471-6387-1600-000000009802}12805040C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.049{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.049{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.049{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.018{8A63456F-1471-6387-1200-000000009802}7761076C:\Windows\System32\svchost.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+1969|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.018{8A63456F-1471-6387-1200-000000009802}7761076C:\Windows\System32\svchost.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\ncbservice.dll+165c|c:\windows\system32\ncbservice.dll+227a|c:\windows\system32\ncbservice.dll+205e|c:\windows\system32\ncbservice.dll+1bdb|c:\windows\system32\ncbservice.dll+181b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.018{8A63456F-1471-6387-1200-000000009802}7761076C:\Windows\System32\svchost.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+17cf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.018{8A63456F-1471-6387-1200-000000009802}7761076C:\Windows\System32\svchost.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:25.546{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C749D867F29CDF8C68099DA720D2EDC5,SHA256=D27C49559305D1E5382DD538E3A93F312CBA5CE95EC51C0EE2F867886BC27977,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.989{8A63456F-1471-6387-1600-000000009802}12804312C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.989{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.973{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.973{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.958{8A63456F-2414-6387-7E02-000000009802}4328992C:\Windows\system32\csrss.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.958{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000840981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.958{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000840980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.958{8A63456F-2417-6387-8602-000000009802}18484992C:\Windows\system32\sihost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.958{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000840978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.958{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+41001|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000840977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.942{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48CC212750F81DB53FED23FD50F542A2,SHA256=7F74057104888D070C8C175473A20849AD5648704FC573984F3E90DB7A001B67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.870{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.870{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.735{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.735{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.641{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.641{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.641{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.641{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.641{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.619{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.619{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.619{8A63456F-1471-6387-1600-000000009802}12804312C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\shsvcs.dll+11f99|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000840964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.619{8A63456F-1471-6387-1600-000000009802}12804312C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x101068C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\shsvcs.dll+11f27|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000840963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.619{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.616{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.613{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.613{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000840959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.572{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E6DF056C3F9DAB224E0DF37123E30F6,SHA256=A2E0ED7D11AB8400417CAF873839C4E674394B3124A7DCE10E8F499901A85B39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.479{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.443{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.404{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.355{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.304{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.247{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.247{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.240{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.240{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.240{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.240{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.230{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.229{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.229{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.229{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.228{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.228{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.228{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.211{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.211{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.211{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.210{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.210{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.210{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000840934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.181{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.144{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000840932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.604{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local56747- 354300x8000000000000000840931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.601{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local59966- 354300x8000000000000000840930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.493{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54103-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000840929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:22.493{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54103-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 10341000x8000000000000000840928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.103{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.067{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000840926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.027{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF7ADADCDA0566FF094022E45E0490D,SHA256=D3D2316604C78CDEF1E2F6EFE4CF42242FE54824FCFFECA90170B81AAA139B8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.021{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.008{8A63456F-2417-6387-8502-000000009802}20565004C:\Windows\System32\RuntimeBroker.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000840923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.008{8A63456F-2417-6387-8502-000000009802}20565004C:\Windows\System32\RuntimeBroker.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000841119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.983{8A63456F-1471-6387-1600-000000009802}12804312C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.983{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:26.599{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6DB77E9876DDD6A715A7E206C2A88F,SHA256=EA7581BB4B855532245D57665C37FC1504060DE01F2BBA647D42D1ECDCBFFF5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.927{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3727A5B3532EE82F8DC74F6BC0B03C19,SHA256=5FE93481B570CA0D52222903E84C96319EA669FD056C4650B8E1BF7215EC8A08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000841116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.849{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000841115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.849{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000841114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.849{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 23542300x8000000000000000841113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.849{8A63456F-146C-6387-0100-000000009802}4NT AUTHORITY\SYSTEMSystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTaurora-agent-kernel-session.etlMD5=AC3B5A19643EE5816A1DF17F2FADAAE3,SHA256=834A709BA2534EBE3EE1397FD4F7BD288B2ACC1D20A08D6C862DCD99B6F04400,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 10341000x8000000000000000841112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.774{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.772{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 23542300x8000000000000000841110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.745{8A63456F-146C-6387-0100-000000009802}4NT AUTHORITY\SYSTEMSystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTaurora-agent-session.etlMD5=AC3B5A19643EE5816A1DF17F2FADAAE3,SHA256=834A709BA2534EBE3EE1397FD4F7BD288B2ACC1D20A08D6C862DCD99B6F04400,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 10341000x8000000000000000841109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.732{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.731{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.690{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.690{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000841105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.690{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA78D387BE191C32208FF6CE0E9201F6,SHA256=86D1DB81F3E2E9453ED8CEF9903103406E6D1FEA585DADB3130E1C6131CF098C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000841104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.642{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.639{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.633{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.633{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.632{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-2418-6387-9102-000000009802}21201952C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000841096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000841089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000841088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000841086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000841085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000841083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.597{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000841082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.596{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.596{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.567{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.567{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.566{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.566{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.563{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.563{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.554{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.554{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 23542300x8000000000000000841072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.540{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDDB9C19E7875BCDC4AE7E3D6488B28,SHA256=EE8F5075CAED27DCE6ADF710A4B242466FE17594A84561821C575E8795689242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.535{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD09B8B4B8F5234C30E37558FE29A1E,SHA256=8B360AD403DCFE3528B897DB13B95A87AAACEEA13C210B5354089D2145183122,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000841070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.492{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.492{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000841068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.492{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000841067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.491{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.491{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000841065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.491{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.491{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.490{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000841062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.490{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.489{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.488{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000841059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.488{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000841058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.487{8A63456F-2417-6387-8602-000000009802}18481560C:\Windows\system32\sihost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.486{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.486{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.484{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.484{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.479{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000841052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.478{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+41001|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.476{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+be725|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000841050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.476{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+be725|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000841049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.472{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.472{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.456{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000841046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.455{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000841045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.455{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000841044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.339{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.338{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.335{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.334{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000841040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-ConnectPipe2022-11-30 09:36:26.331{8A63456F-2419-6387-9302-000000009802}1072\TDLN-1072-41C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe 17141700x8000000000000000841039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-CreatePipe2022-11-30 09:36:26.331{8A63456F-147F-6387-2A00-000000009802}2680\TDLN-1072-41C:\Windows\system32\svchost.exe 10341000x8000000000000000841038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.330{8A63456F-147F-6387-2A00-000000009802}26802252C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\tileobjserver.dll+c332|c:\windows\system32\tileobjserver.dll+10992|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000841037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.330{8A63456F-147F-6387-2A00-000000009802}26802252C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|c:\windows\system32\tileobjserver.dll+c2df|c:\windows\system32\tileobjserver.dll+10992|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000841036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.325{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.325{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.312{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000841033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.308{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.308{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.306{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.304{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.298{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.298{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.298{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.297{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.289{8A63456F-2417-6387-8602-000000009802}18481560C:\Windows\system32\sihost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000841024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.289{8A63456F-2417-6387-8602-000000009802}18481560C:\Windows\system32\sihost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000841023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.286{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.286{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.285{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000841020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.284{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beb0b|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.284{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beb0b|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.284{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beb0b|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.284{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+fcc8c|C:\Windows\System32\TwinUI.dll+b9d14|C:\Windows\System32\TwinUI.dll+b5a2b|C:\Windows\System32\TwinUI.dll+d5d2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.283{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.282{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.282{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.282{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.269{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.269{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.260{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000841009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.257{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beaae|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.257{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beaae|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.257{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beaae|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.257{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+fcc8c|C:\Windows\System32\TwinUI.dll+b9d14|C:\Windows\System32\TwinUI.dll+b5a2b|C:\Windows\System32\TwinUI.dll+d5d2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.256{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.256{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.233{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.233{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.228{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000841000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.100{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Notifications\WPNPRMRY.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000840999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.010{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.010{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.010{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.009{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.009{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.009{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.007{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.007{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.007{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.006{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8E02-000000009802}4240C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.006{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8E02-000000009802}4240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000840988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:26.006{8A63456F-147F-6387-3100-000000009802}29523532C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8E02-000000009802}4240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000841165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.994{8A63456F-1471-6387-1100-000000009802}3721636C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x8000000000000000393554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:24.792{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50494-false10.0.1.12-8000- 23542300x8000000000000000393553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:27.701{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911E67B78630E69B141F1796C41829C5,SHA256=5640A14497A9FEDE8A0D38BE977906FB8933E67DB541E0AFE55D14897FD24596,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000841164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.965{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.951{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.951{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.950{8A63456F-2417-6387-8602-000000009802}18481600C:\Windows\system32\sihost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000841160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.949{8A63456F-2417-6387-8602-000000009802}18481600C:\Windows\system32\sihost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000841159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.938{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000841158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.938{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000841157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.901{8A63456F-2417-6387-8502-000000009802}20565004C:\Windows\System32\RuntimeBroker.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000841156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.901{8A63456F-2417-6387-8502-000000009802}20565004C:\Windows\System32\RuntimeBroker.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000841155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.901{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.896{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.895{8A63456F-2418-6387-9102-000000009802}21205104C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.895{8A63456F-2418-6387-9102-000000009802}21205104C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.894{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.894{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.879{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.874{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.874{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.770{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.769{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000841144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.769{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000841143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.769{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000841142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.768{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.768{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000841140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.768{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000841139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.738{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000841138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.736{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beaae|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.736{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beaae|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.736{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beaae|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.735{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+fcc8c|C:\Windows\System32\TwinUI.dll+b9d14|C:\Windows\System32\TwinUI.dll+b5a2b|C:\Windows\System32\TwinUI.dll+d5d2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.734{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.734{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000841132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.105{8A63456F-2417-6387-8D02-000000009802}2360update-lite.nextron-systems.com0::ffff:207.244.242.102;::ffff:82.165.105.236;C:\Program Files\Aurora-Agent\aurora-agent-util.exe 10341000x8000000000000000841131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.630{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.630{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.620{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000841128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.616{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7796C7B672672CA664D21CDF811330D8,SHA256=F98B99CAEBA35B447BDADE996B77B0DA43C2CF0D623FF1811998C285C12D6CDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000841127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.610{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76afa|C:\Windows\System32\combase.dll+6d8bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b203|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000841126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.609{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76afa|C:\Windows\System32\combase.dll+6d8bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b203|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000841125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.448{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.438{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.438{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000841122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.084{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local58534- 354300x8000000000000000841121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:24.538{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54104-false10.0.1.12-8000- 23542300x8000000000000000841120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.000{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9FFC2C0C49664E52A3A1396FCAE0D1,SHA256=384E78417D244FFFBF7C448704EDE22396C217942F458F4C6FCE55EF0F68DA51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:28.785{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974CA935232D9CC281CEBE97B02C0CE6,SHA256=EA334E63EDA5715D0A5469D7AC459DE402656A3DECF16A614AEAAB0D89DCCAEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000841215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.626{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.620{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.620{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.615{8A63456F-147F-6387-2A00-000000009802}26802252C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\tileobjserver.dll+c332|c:\windows\system32\tileobjserver.dll+10822|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000841211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.614{8A63456F-147F-6387-2A00-000000009802}26802252C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|c:\windows\system32\tileobjserver.dll+c2df|c:\windows\system32\tileobjserver.dll+10822|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 18141800x8000000000000000841210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-ConnectPipe2022-11-30 09:36:28.614{8A63456F-2418-6387-9102-000000009802}2120\TDLN-2120-41C:\Windows\Explorer.EXE 10341000x8000000000000000841209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.614{8A63456F-147F-6387-2A00-000000009802}26802252C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\tileobjserver.dll+c332|c:\windows\system32\tileobjserver.dll+10992|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 17141700x8000000000000000841208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-CreatePipe2022-11-30 09:36:28.614{8A63456F-147F-6387-2A00-000000009802}2680\TDLN-2120-41C:\Windows\system32\svchost.exe 10341000x8000000000000000841207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.614{8A63456F-147F-6387-2A00-000000009802}26802252C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|c:\windows\system32\tileobjserver.dll+c2df|c:\windows\system32\tileobjserver.dll+10992|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000841206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.613{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.612{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.611{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.611{8A63456F-2418-6387-9102-000000009802}21202720C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\wpncore.dll+466bd|C:\Windows\System32\wpncore.dll+4658e|C:\Windows\System32\wpncore.dll+434e3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x8000000000000000841202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.611{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.611{8A63456F-2418-6387-9102-000000009802}21202720C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\wpncore.dll+466bd|C:\Windows\System32\wpncore.dll+46600|C:\Windows\System32\wpncore.dll+434a7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x8000000000000000841200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.609{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.609{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.608{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\wpncore.dll+466bd|C:\Windows\System32\wpncore.dll+4658e|C:\Windows\System32\wpncore.dll+434e3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x8000000000000000841197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.608{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\wpncore.dll+466bd|C:\Windows\System32\wpncore.dll+46600|C:\Windows\System32\wpncore.dll+434a7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 10341000x8000000000000000841196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.606{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.606{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.597{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.597{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.570{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.570{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.563{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+1a90e1|C:\Windows\System32\TwinUI.dll+beb29|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.563{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+1a90e1|C:\Windows\System32\TwinUI.dll+beb29|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.563{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+1a90e1|C:\Windows\System32\TwinUI.dll+beb29|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.562{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beb0b|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.562{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beb0b|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.562{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+fcc8c|C:\Windows\System32\TwinUI.dll+b9d14|C:\Windows\System32\TwinUI.dll+b5a2b|C:\Windows\System32\TwinUI.dll+d5d2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.550{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.550{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.545{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.252{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.252{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.252{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.252{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.252{8A63456F-2417-6387-8602-000000009802}18484768C:\Windows\system32\sihost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000841176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.252{8A63456F-2417-6387-8602-000000009802}18484768C:\Windows\system32\sihost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000841175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.245{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.230{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.230{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000841172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.213{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.212{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.202{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.202{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000841168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:25.289{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54105-false207.244.242.102-443https 10341000x8000000000000000841167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.044{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000841166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:28.043{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AB61044B9863EF5D04AA8672957EE1,SHA256=876B9D46B48327786E046A407A60654F7DFFB256E81E86785A6446C754992031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:29.870{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A7BD672E3ED9358508DD4853767FE9,SHA256=1F72E9C69B286B8A4BC55749B61D62532E22346683A90D451C980BACC88FD5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:29.085{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53210011D207BCEFC50447505F44AD5F,SHA256=749902A698CD8137728D3B75057DF48EA4AB3D351E3DA92A2581D0F0DE91784B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:29.075{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1121A9634D0CFC0377BACACD97E707D0,SHA256=E96822AF7A466239DAA21AA8C1C7D3CB5B05FADB42B60A48DAE3EF2558D616F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:30.949{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DE6BF9BE9251CE211A83C6CD358E74,SHA256=272E7030C5CBFE0D64CB81A464F4ECAC2B23C49381F10E0206861D1F8471AC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:30.995{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\iocs\orig--falsepositive-hashes.dat.tmpMD5=FEFBC66B7A8F6A39EC48C81457E0E8DF,SHA256=65F3E0D5DC1F6819E39AEAFEE643ADC42181C4C0D2D10109D75804F7C920DCA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:30.095{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=343C92287EA18578E6AD7A2BC1DBEECA,SHA256=1E8E297954CF90FBD0FC479BED9237BAC47E9E7311212688C2C9454359CAEB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.999{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_vslsagent_agentextensionpath_load.yml.tmpMD5=81CB8BB4EB51A1279F5C7AB1B54AA10B,SHA256=94BDDFC822952F57F15AE0BEE1B9F54A20C3E2913F803292EC01AF0EA3C87A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.997{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_shell_spawn_by_java_keytool.yml.tmpMD5=573B9DC97140A3E21BCE9C9B37A53F77,SHA256=29790BD4B530064DFE38DF9347BCE9E1633DB0727AECFA5E4C276D12A1992B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.996{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_bloodhound.yml.tmpMD5=773B86890024FC895C9C6CA4C02F56DD,SHA256=A7A0E0296EE18A5127EEDE6FB21076BAF6543BB4C392013071152618AA3DF083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.995{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_chisel_usage.yml.tmpMD5=5D984EEE0B3966B7A5E849702F422150,SHA256=2326C99E0C5CB35D01EAAE8E00DB1AA3D50DFE9FE4CD407A9130ED778527A31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.992{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_regedit_export_keys.yml.tmpMD5=062B873F6B4B80303F04722F38691E62,SHA256=B7394BD1FDEA162EA6AECD65CCA74E437B2D6BD33ADB62A4EBB6BA27722DC50F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.990{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_offlinescannershell.yml.tmpMD5=1AB360426044B4E724AA49426E6C751B,SHA256=6A26B6B91F26BE02876A5F5B9BAF48E075D8608987C7D0FCE30A92ACF799047F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.988{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_dnx.yml.tmpMD5=060749A811E439060F4DCDA797ABCEB3,SHA256=D2F51CF31C4ACB957D25D156B178C53B5CF9E3300F7AFCCEA4AE512DB39D05F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.987{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_parent_process.yml.tmpMD5=A5D827C1FAE0F475F0A82E3F608FEF50,SHA256=68E798D0D9A7677CC68BDAE2AD6DC81A6F55ABBED6FAF14E9CF471E5B521CE36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.986{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hktl_uacme_uac_bypass.yml.tmpMD5=4E0B5A71F2FF94C7DD308239D859A16A,SHA256=7039784CB4C6D0F9DB3A404CFD2EF5DFBFEA3A8F78FB341FB0F6EAEE740D8237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.984{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2019_1378.yml.tmpMD5=D8A3B79B38B59400B3096C427A9C485A,SHA256=3329668DFDD5FE4479B1828D47A6AE379C223B01ADD891D93E0CE219C3FBA29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.983{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_netsh_discovery_command.yml.tmpMD5=DCBF6A573A192E085B54E42E76CF691A,SHA256=7B6D7D32CDAE5D91D8117221B7B57C86EE98C0502A6D89E9E048A771202EF98A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.981{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bad_opsec_sacrificial_processes.yml.tmpMD5=14D767DCE39478D8A81532AD0DECD5E4,SHA256=872F6C15C5E2B857774879DB4590267F919A9AAC822CC0A2FD73EACA51E565BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.976{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_query_registry.yml.tmpMD5=F8D842EFB4E5959138448B7E91CAB0F9,SHA256=27F1F2DC9449240D9D8425F702F13FF209B61A02FB073B5B27844A63DC0C071E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.973{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_gmer_execution.yml.tmpMD5=E63B9E4AE429D719C36B2AF305D0BA8D,SHA256=8E6167A70979C974B8D964B90D0D9C91361218342B75687D8C5FA5F0C10D35A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.972{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_etw_modification_cmdline.yml.tmpMD5=F85039B589FBFA857487040D4E70C129,SHA256=0B0A26319BE7BBEBE26E96600F1A143FBF8198B9122FD7CBD29420B98C0BCD68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.969{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_wce.yml.tmpMD5=AD02AFD094883FE486D7C938FEE27710,SHA256=E84B551A68656738DF6387079B2FCECB4993151547B022A971F789EE65661FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.967{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_run_from_zip.yml.tmpMD5=2DB982CF3E367255CB0A8F6A80165F7F,SHA256=EE485A1E0149F9204BC780EF6FBC67F79C0871554C1AD3BF5D2C75DD1D766053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.966{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_adidnsdump.yml.tmpMD5=AFCCC66387C995AB2358B4F1E029A6F0,SHA256=85D93A224E53D5486F103F72F065AE932616BB689E192EC3746CF8468AB824C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.963{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tool_runx_as_system.yml.tmpMD5=A018B591C61E51B1F9AF7BAEA7DB885A,SHA256=7B2B37CF4FE8D126052A78B66CC77DE3D689B1CE39E53E0DFE1E73337E552959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.961{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_regedit_trustedinstaller.yml.tmpMD5=774879CFA5C1DDDD289491051FE6575D,SHA256=608E023C5D4DC9368A760FCF3A6BD62C8B949B9639AB8C0CAC0D0D66141AED57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.959{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_control_panel_item.yml.tmpMD5=E7A62D5839ACD0D80CD8BBEDD8278E23,SHA256=D6CB002170C37E0B60A4416BAB64723B9F1B9AAB1E750981D611E42953E449D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.956{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_forfiles.yml.tmpMD5=F185DEE335AC9B3BC77A38AD051F82AA,SHA256=B190C87595F7A43DB24EF79AEA08403EFAE2B6AFEC75985914D7C9C951307792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.955{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_presentationhost.yml.tmpMD5=9DE68F16E2A01A1DB2BD9CEAAF1E930D,SHA256=E5038ADA8BEED362516DB5E939F4F6C88CA693134EA42C80643894D78B348109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.953{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_elise.yml.tmpMD5=F845940CB73E43E2ABB40C080827ACFD,SHA256=4534B3772573500BD9F2A0BF409BD5F297D28558265A2D97655AD55A9B0F27E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.951{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_net_default_accounts_manipulation.yml.tmpMD5=11A36947A0358BB5337F3C8216B73CD7,SHA256=F1E33533BF940307EAE65A4F0D6CED11990F72AEC1D94FE5DF974D058D39E7BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.948{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_7zip_cve_2022_29072.yml.tmpMD5=E95DD4BEB66DCFE903A1648DE849066B,SHA256=52FD17E2BBE65843251A3861F7AF1718A461130E392FF0D59A65C2DB42F8ADEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.946{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_pdqdeploy_runner_susp_children.yml.tmpMD5=4E55AC7FF286800850285CF4BCD2F650,SHA256=60CC5B380A10C8F5627690EC7579C6CC1696AB3C75A85C987AFF48E18E1406B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.945{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_sdelete.yml.tmpMD5=96950CE1E1EABE9378B027B2DD9AF49D,SHA256=F3B02D51978AA85CCE6C3B5DA8D0F0424DD2E3FEA16A06EA20B58FD2A19699DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.943{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_rasautou_dll_execution.yml.tmpMD5=6F9DB0582BEC8179923CF74533ED3C28,SHA256=5AFC4B8C5ED1CFD76CF672181CCBE40D440D78AA96C9FDC79167BB45BC147FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.942{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_ieexec_download.yml.tmpMD5=4955F700EEE0817B6021A84ECEB67261,SHA256=3CD789E03919AD9CC4A6397AA2B2BF7DC43CD123867FB1E08C0FE413332DD3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.940{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_sysprep_appdata.yml.tmpMD5=BDF7F4B4973A8084264213AFD7BA5937,SHA256=6C5D3D87AD2043B5D2C5EEC5BEA7F392F8B6923D2CB7768573FCA55A93BC5A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.938{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_monitoring_for_persistence_via_bits.yml.tmpMD5=305A24A9711CBFFAD9CAC0ABEBBD2462,SHA256=E1850199FFB03D047465839EAEE3255F4FED43DA935072950ED3886E6A45CD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.937{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exfiltration_and_tunneling_tools_execution.yml.tmpMD5=FD3A7BD6F7E0D95F183AA38308740FE1,SHA256=647068875A62789EF51FB971A748D1E2C5478FA72C1BA073A417BF082CC8BAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.936{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_msbuild.yml.tmpMD5=790483F4A03FE5A0FC099DE17B6A1039,SHA256=F36AA19F4B8BDBE4B6EACBFA5510216E0D926F1BF33804890425ED7DC9E80090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.934{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_shimcache_flush.yml.tmpMD5=AC45295952C53921F95715DF0E59DB38,SHA256=6968759D00FEDDE75EB425CB62518B2984CCBB815F75AB9B6E3160B5341302A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.933{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_aspnet_compiler.yml.tmpMD5=7F6BE24416549678E78CDDDCB0D90544,SHA256=3B98B36F37ECA4E2D79E997F243C6FE960A7658E2000DAF5739B4ACAEE2118C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.931{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_task_folder_evasion.yml.tmpMD5=9B865A460952E06B1BD9F6C30B1A815B,SHA256=57191C507997628A0CAF476B144F4C7B96396948500EC6BAC03219423DE36B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.930{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_covenant.yml.tmpMD5=39006EFA21154ED314C2D3049553240E,SHA256=D59E12A7F6AC7CA3D25A5487B54363150694057CFC8DA42C41CDCB7866A7F1F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.929{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_service_imagepath_change.yml.tmpMD5=672424A503118F5C559AB56D419A0D8B,SHA256=FA6BDBB7D9F905ADD0933E4AE80458E23462D0B53F1E080010F4C4F883F6D4FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.927{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_emissarypanda_sep19.yml.tmpMD5=ADB762379B8C4B3AD336557840F95D06,SHA256=9CB3798F06E53000E5AAC52C278AE8BFFFEB933CED0FC25FFA17D16BE5A5F26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.926{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_rundll32_not_from_c_drive.yml.tmpMD5=CABC08BE9DE41BC9E763106DB1A87A59,SHA256=2BCA9467C6CDB48C8313CC6B7E5CA372C69D8896FFB90A79757A12C1E33DEDCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.924{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_net_use.yml.tmpMD5=83FEE7981D30D20E3910A9997F15D0BD,SHA256=D0A107685E06416DD26E24F420B2A1BFFE6079503A1ED1882E018142B23FA6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.922{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_class_exec_xwizard.yml.tmpMD5=3E33D92CE3425C1E627BFB09CDCEB692,SHA256=21107B80096AC6F510CA5BEC531D5AC43E9478FC9EF37FB1A1B895416DF7536E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.921{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_uac_bypass_trustedpath.yml.tmpMD5=2AF8AFEBBFA237D85E2E9AD398A42464,SHA256=FE4C34DE1AC51B8E02F4936AF7840D2A3ED57376541F3BD7EC19792850D96724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.919{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_vul_java_remote_debugging.yml.tmpMD5=6C531A2F651D276C66620F6AC32A3F10,SHA256=39E8F8D2BD966DBAD91878199C278E8FF7CE6AFEC49EDB1F71C227FF8E6A481C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.917{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_msohtmed_download.yml.tmpMD5=F1F004B53EE31557327AFF239A9CD52E,SHA256=E78CD725E5443AE9A0F7D0A5AC8FDD2F7C148402794A81A465A77000C6B5998A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.916{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_renamed_paexec.yml.tmpMD5=C7A10C49B43CD987B5D54DBE60CBBAB4,SHA256=E30CAEED7DE48A747093A53EDC5BC6943B20464D563765E563E388697EC2EE5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.914{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_webshell_hacking.yml.tmpMD5=E87897511991A07CAA6D60C93882BE25,SHA256=ED960EFC1EABF614B7DA743C894CDD676C1E29D6D680667C40595501E17A4733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.912{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_rundll32_installscreensaver.yml.tmpMD5=7E0C1EBAF24C1373C33338D9F166690D,SHA256=6FA345EA0CEB560F6586820B2306D2D8708F291EAA890C87D27542B7B9160BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.910{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_conti_7zip.yml.tmpMD5=261354B3D231D6770A814A97CB5EB361,SHA256=7A3BE971F9561A72190416048E65E768DC25A916FC517599D32BD019F6824579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.908{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_gotoopener.yml.tmpMD5=DA63C75F5709A1F01E4497798BA0936C,SHA256=9F8904DF9AE8D277B61263271D4B30BA1AE3A39981D6BEAF4CFCB04A432565CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.907{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_runscripthelper.yml.tmpMD5=FB5AB29E84924A9D0BAC1EDC277D8FDE,SHA256=3E62C930DD71FC4BFA9AAB4C383874B977E4EDA5528D1B3CA62A0AB24129407C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.906{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tap_installer_execution.yml.tmpMD5=264A2A43117D2C6BFE864F794FA711B5,SHA256=6A4C2BB75C72E72F20642CD94FCC05FD26E8ECDEE049D1DDBD6B2C23AB48F65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.903{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_pktmon.yml.tmpMD5=82ADF7D3F0CF31E823B02676423282A2,SHA256=8BD87D3C63DC7E46B8A315293B22A82D4BD77E7B8C49F3ACB6BD570B1EF9BBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.901{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sdiagnhost_susp_child.yml.tmpMD5=A0FF88F8EEFC9903F097394CAF7ADD34,SHA256=35BA050BF6F7D76AD4AD94F7C012943AB13D6175C6AEBE256533D80ED7D2920E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.899{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_winsat.yml.tmpMD5=0B0DB08F905BA23B1AD4659694F7A628,SHA256=FECBDE1C32107B16CB67C17A12109AD6F9752F858F0194C438D73B7B1B60117F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.898{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_image_missing.yml.tmpMD5=B84559B5C595B5722E4FC8CB26F79547,SHA256=5B86E1CDEE9F709B9B7D1C02E14DF937976F23ED75BAF07B87C4C251725AA0D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.895{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_alternate_data_streams.yml.tmpMD5=A679CC2EADEC840C3E4FDBD52B60DD4A,SHA256=8EFE26CCBD3F0836437D9A421F9BED187FC2FBB126F8DA23C3702B8FB4AFFBEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.893{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_dir.yml.tmpMD5=2A8D721C520876F6026D28CFEB7A5C67,SHA256=0E949281F6E922E5DC7501E4B5D36F862182A890E3CF84146D4625C9156274EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.891{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_execution_path_webserver.yml.tmpMD5=90C81E69B86276D912266178C103F222,SHA256=647CE232DCF58B3C879957D2E1A2BC3CE49B7B770E8B98014FC86F895C97417D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.891{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_findstr.yml.tmpMD5=DC09AB5C45B2E9182DF74A3FE541B670,SHA256=12D5B94E234C4B3A294A39DE83D4BB877A95CCAC12D1D0646918C3075A1ED761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.889{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mal_darkside_ransomware.yml.tmpMD5=5849749CF816C9E8636008780864D67F,SHA256=611777FA3CAEBC7FA038556004E3BBE0B905A6EFAFA335A0A3EB15C5DA0391DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.887{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bitsadmin_download.yml.tmpMD5=6689D1242A666AEC9481B92A0EFA5F36,SHA256=1A11CE561C90BDB32FE9AFF682CA1DC26729E7C9591135A5B174DB5E7A39D248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.884{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_koadic.yml.tmpMD5=C3FFAE65BB8CD802821327E893F63C35,SHA256=FDF554F8FBE89E64DAE4F4E71C9F432AD2DFF58B027FDA6F7E4B59FF88A9F595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.881{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dotnet.yml.tmpMD5=198601B8DA27A3B2D942664D67230E9B,SHA256=0B579EA92249BB0B406DF8D6D7E476C07CD0C35DEE3C51DD507098C934E8D2BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.879{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_register_cimprovider.yml.tmpMD5=D068490B2A5AE3D47C6DC70D8A2C5829,SHA256=7B8F7700BA31C6BE711C1D7ECE7B89FA29E200F4575D6C69A7505DD396C90325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.878{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_rundll32_registered_com_objects.yml.tmpMD5=858F90D94E80E617A47DEE26CF11455B,SHA256=7C42B5EA9E541BE2A4113FB106A67ED98980570537414342420FD5A116DB0E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.876{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_windows_terminal_susp_children.yml.tmpMD5=3AAB4B220E1EFBE1ED897BBBD7FC1B72,SHA256=BADDD1AA6284183F92E5A6FBEEAD4BAC565068788CDBA2CCEAC742223C530BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.874{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_systeminfo.yml.tmpMD5=4CD47631AA4B0003E5A0E493D94020F4,SHA256=30C609B54EFF5633F841AC5862A79406FF6BCB9BA389961EDD5FB546EB88A4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.872{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_winnti_mal_hk_jan20.yml.tmpMD5=1CDB7560C626607C42D4DFEC94A1790A,SHA256=99D17338C29DC60CB70106228607BA60D249C755C428C4B1B680F2549F0B21FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.872{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2020_1048.yml.tmpMD5=DA154DF89D6751DE0AABF9AA925D87B1,SHA256=EB982D8EAD9910DE357945064E226F7375B36833F9A2F6640EBC692FEAEA1C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.871{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_curl_start_combo.yml.tmpMD5=839C94D05A03B50C402476CF608855DB,SHA256=CB41292D4A1A7C856854D5E2B9837BB8690956260FE6AA9FD85E62F4AA0E9053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.869{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_powershell.yml.tmpMD5=1C757F8DBC376EADB698AE58D896387E,SHA256=9FC9DEBF5910AF9CF11D222973415D9A3ACDF6F81E501FFA84FF875189B51DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.868{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_delete_services.yml.tmpMD5=F7F65A08977E86E9E376282FE2239947,SHA256=9D0F5F06B668AB0D0179CB79808085CD236EE9316D2122FC65C8CB2CC031BDCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.866{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_dtrack.yml.tmpMD5=617A6B685834CFD84C14407523662BFB,SHA256=D4735EDB7FC074B8A51D17DD689251F06016A742A9860D0EB939F2FC47FEF75A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.866{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_mpcmdrun_download.yml.tmpMD5=E92B6FFFE9EA0517423342BFFB81130A,SHA256=811AC1F5267DF049BF3B6878D3CF4B4695D035037D6D1051530E3A7F73E5E7BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.864{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_install_reg_debugger_backdoor.yml.tmpMD5=B1A2A0C83BF6F2FED691B45D82D67D6A,SHA256=C0FC84EF834B5A1590EA28489E5346B3E836C196AD7EB99C8C6CD135249831A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.863{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_lazarus_loader.yml.tmpMD5=E8E3C862AD1DDCBABFFD59317075DE1E,SHA256=FB01A50D7FF2F745C8AE3EC6426E8CDBAE0DEEF99B3543C931EA435EC286855E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.863{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_spoolsv_child_processes.yml.tmpMD5=68633B0341419E491237AC6C45F22F40,SHA256=F35826B6389887C1D5069BFEA44A87BF399CEE7EE26655CD0F6BF628E06DE84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.860{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_crime_fireball.yml.tmpMD5=F40D72CF937F22F3F7EFB2B060B13692,SHA256=BA47BFA9AAB821D3B423578CB919123A288AF64E079C9ACFA3B45444EF32A8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.859{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_user32_dll.yml.tmpMD5=ABDB521B59081D69678FD48F326C9373,SHA256=230241621A8CC9593CAD342204F560255E85E876B132026DFE522EE24CD83052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.858{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_netsupport_rat.yml.tmpMD5=296271D594586B8F6BDE2D5AAF05202A,SHA256=35BFB40B17355C9D750F6EA2BE1701D5F32525710F2AFFC93786F3C6DC352319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.856{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_fodhelper.yml.tmpMD5=AE8987591BBAF7DBF4E472203C43D385,SHA256=A49EBB5E6B2FDC75A133F728AB52E8845B7CEF7F9AF70676DD905DF43DBC27CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.855{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ping_hex_ip.yml.tmpMD5=D7C30F62E503C57FC7790EA4FE8E1D2A,SHA256=8F57C4361EC29A252C8BB1C3DA894B11936952F4E1FAE0A103C7DA159DB712F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.853{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bypass_squiblytwo.yml.tmpMD5=78BFFFAF3208402D02A28D781FE4B629,SHA256=90579DE86903F0BF7C1BAF953E5BB400510211130E2878F4D2D0FA97AE588C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.851{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_binary_highly_relevant.yml.tmpMD5=62E5A3B7051B7B8B24F7618CFF69D957,SHA256=1B728D993D7BF05C0A30BFF2E1ADE436CEADF94F67C3126D1AFB9D0D4872BB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.849{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521B1CB16223DF99C2A2A663CA8AEF12,SHA256=1AD305388ADAF3589E48886E8426225668236FCD5EEC72D4FAA14F9C5418E1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.849{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ultravnc.yml.tmpMD5=47D8D66A5382D77DE4F3CB2F3D27C9A3,SHA256=8677FA433E61EFBD65DBAF9455F81CF72D2837E3A762F91E9394DBD4EE933467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.847{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_whoami.yml.tmpMD5=D07466272F5AAD6D17735D8B61FB62F2,SHA256=762F92F520904AA6434F8B4A977213D7B5B8235FE22CA2F6FF23434D15D969EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.845{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sysmon_exploitation.yml.tmpMD5=2F2A3094661A5CA8DBED00E3D3B4309B,SHA256=73C17D44FD9A6E6AD5220B1C0F613FD9E05314E6B1AB0EE198A6CBEFFD614E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.844{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ntdll_type_redirect.yml.tmpMD5=80B7599CC753FD9671D051E337570C5C,SHA256=59C89B142F0EF5BF000DC26138858968DC8217FD8D7E2FC365F6DCCE9FEBB4AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.842{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_automated_collection.yml.tmpMD5=5EA5997ED1F2240131D345D94EF10D59,SHA256=228E00478F9D2AA6190E9F7DE89314DB0F18D4C95F2E1F3AD2E4A369D9CC2050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.840{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_pester_parent.yml.tmpMD5=0F418BD42620C4CB46D3EF73DF9297A8,SHA256=E00EAC7166E73879C3852DBD98DEF6373693406CC9D091A6382E7BCE00BC31C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.839{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_infdefaultinstall.yml.tmpMD5=7FB147A9BE48000C0C11EECEEF75CE2A,SHA256=8DCA0C894DD330547BA7749236BADE969040BEB105BE914B687E94FD5E429055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.837{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uninstall_crowdstrike_falcon.yml.tmpMD5=5BA3A4703FFAA9389E221AA08979DDB1,SHA256=6C3EA9F289C352608A8288457391CB157B3B7449408182648598BE38B666C09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.836{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_recon.yml.tmpMD5=9896AB410F997B343DC20E66D4C26CD3,SHA256=997D468342B41AA7B89216BB2794765570BA176440576EE1FABBB1C7199DF2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.834{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_via_use_clip.yml.tmpMD5=1840FFA118A2707F0213598FA1A153CF,SHA256=B3915D1F039823DE0C08D557B10EDDC413CDB2CD57AAF67BB6613E9F548B8279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.834{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_parent_of_conhost.yml.tmpMD5=4D4CBD8DD1E0B997A94547E5B5DACC2C,SHA256=ABCF67210CBE19F1A9375322DBBC28CB2A2BE97A1340C0CCC574E8FCB410CAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.833{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml.tmpMD5=3009383D3EFE327D7AEACC1713D799EA,SHA256=E65DDDE62646D44096396F1399CB1E111D0D4B532909FA0937D176276C82141B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.831{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_anydesk_susp_folder.yml.tmpMD5=89CC62F22E6E9108E1A0D9DB0B49F21D,SHA256=7149F9F6FA6983DF0769B0BD90048B6307A44D2BA1E1CAD4884E6A97D1B3824F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.829{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_explorer_break_proctree.yml.tmpMD5=D4A8F45FE86A62DA56E1156774AD3910,SHA256=ECD40D26DD6375F5A2570E5EB2C2FB0A332589A42466EF1A95DFDAFF9E04DADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.828{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_activity.yml.tmpMD5=3ACBC592D753206512357D426DB3E104,SHA256=0E7BA962E94BBD60C547CDF297E5E73EF972AE4D77C3852CFB94A61BC62F998C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.826{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_defender_exclusion.yml.tmpMD5=A3714FBBAD0B18524FD69FABE410E390,SHA256=9C480B7B42F3E0114B220775E9370D940412D0DFD555BD9702A262FD0502862F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.824{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtask_creation.yml.tmpMD5=2C6322BDCEEA032FCBF9E3CDE5244B2A,SHA256=CCC9D554AC8CA96C477FE2EA657616127FE2A8FA4667C0BF01B0A7B7312FE7EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.823{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_run_powershell_script_from_input_stream.yml.tmpMD5=8D4A6DA0828846031366FFE788989667,SHA256=7139EFD3DA2FCE296BA369B0D45B7A0052EBB7885B429A04F59F6D9072D98E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.822{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dumpstack_log_evasion.yml.tmpMD5=15D5CE0FAF9E1DA5BC7FD1922EA8DECD,SHA256=66303255F8D7DA51C5B09EA3DAD7D19D6067C2567E1360FEFE97CAA6FD9DDDE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.820{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_direct_asep_reg_keys_modification.yml.tmpMD5=D1893E81AB6E681753E98B1C3D03C11A,SHA256=CC5C37A4867366CC456F6280075707AEE5B2C437188175C0247FD185DBDC0767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.818{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_del.yml.tmpMD5=5CA6C1191E4FCA8BBABFF941751CA085,SHA256=130F46A64EED5EC89365376A27807E83BB6570061A954F39E2A13AAD44E69E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.817{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_script_exec_from_env_folder.yml.tmpMD5=DC6EC740C7B82465845E2D2C8A14ABD1,SHA256=BE06E47C79D638346284AF732367290C749D6B37EBA35C9BC36EAFCEF9E8E563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.814{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psexex_paexec_escalate_system.yml.tmpMD5=BD7B8FDDEF9D57690DCA647B524AB99F,SHA256=B1893ABBE657CF5B2C932E119B628BC7916EE47C4DF32795C9EF5E87AA949D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.813{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530F10543CB091214A54426684A7E8F9,SHA256=539009912DB1D385F16266B0BA0973F8A814EEBFBE551FADC23B3AF67057AC34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.812{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_empiremonkey.yml.tmpMD5=6941936206AD04333D7A617AF7A9B0BD,SHA256=4DAAAA445338B66D8BDE388FA9320742A39A6DF0120C9D41653AF9467F9413B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.811{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_whoami_as_priv_user.yml.tmpMD5=22BDA65F5E8CE75DAE2FD91AE8077F0E,SHA256=B605C1464DD5C17826B05936E70A4A1F94713F2DE82F08D328E9CFCE7542F42C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.809{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_cmdline_reversed_strings.yml.tmpMD5=61E6811B909C73561F0FFAF38479FE66,SHA256=FC424C5F435FA7AF4215EB42BEA076B46FF6BD00D2C5F40F9FBCF3AAC4420F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.805{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_get_clipboard.yml.tmpMD5=A196F3B9B396D8E249A1FCCD7A1ECD94,SHA256=D6595FAC2A0B507DABF8B0B1D6E3B11F701B5ED95FEE3DA8789A2A93B6BD210D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.803{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_enable_rdp.yml.tmpMD5=7E02A39A63CE9CD1741CBFF3BB1F89EA,SHA256=05FE797DE792E3AB55DFFE958AB0F43267E993A2499F16B912AF89284815388D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.801{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_trickbot_recon_activity.yml.tmpMD5=81F22D699E1395FF53B866B727E6F3E1,SHA256=9E79CD60602A3F1381FBB2723268AA091BBCECA5598846BDE402E8BA03ADAC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.799{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_renamed_createdump.yml.tmpMD5=C865499C9F3D01BBD70FF3E1481E2525,SHA256=E04ECA75204FC9B0EAF268DA1B8F7D73423A3B5428CB23CB00BC394C4649B001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.798{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_abusing_windows_telemetry_for_persistence.yml.tmpMD5=B19CA59A1CFAC0D0D9A55A18CD654B6E,SHA256=DACE9CE9DF2348FD74DB048CFCD37E799E79624728746C4EDDBCDD244ADB413D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.796{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_turla_comrat_may20.yml.tmpMD5=1905494347EF984DF588D21D8649DEC3,SHA256=71B1F7AB0C781F14FB9CD458D8712943DD564B3AC10521E9B080765497F6E58F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.794{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_screenconnect_access.yml.tmpMD5=EE7C69C0E6331A814E529519FD4F6655,SHA256=6F2B8DF1D1A8D1BC073C153CE9264EA1CFBF65285DEA6F5E61939ADCC28F307B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.793{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_cmd_http_appdata.yml.tmpMD5=A74BF25A58404B382BE0DDDB0D74D202,SHA256=A840D2101F2BBF36D704220C1EFFCA2BE8F1E0427101308178FF55705A00896B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.792{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_port_fwd.yml.tmpMD5=84C90E03B1B71429EBD4AFF0C3D60220,SHA256=80C2ADF07A44C90D137622F69C657257FB7258681A5135D2FE6B0554CFD046ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.791{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_via_var.yml.tmpMD5=CE75CA941422A8517A28D550980A10F1,SHA256=3360084DD65B5C9C3E776BBD88277A8FBCCAD7FAE6E1CF440F140AB6FF2B229D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.789{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dirlister.yml.tmpMD5=584D854AA814A7E549868D942718A17B,SHA256=D901C519C152D278A6D5CEBE93AB242F76C2CB01CAD1255451DF1751163FF95A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.786{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_defender_tampering.yml.tmpMD5=119788EBED3F15CB50A7B401C90DDC63,SHA256=545D495B41F54606EA6B1BC4570C99A2A43ACD7F3B974C3508BDE6CA9BB57CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.785{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sus_auditpol_usage.yml.tmpMD5=987AE65358189A303BFB41FAA4664DB7,SHA256=4D9B2B505D849C90AD71DA739E3EB30D8023B78003821527831F51FE092D7DD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.777{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_firewall_disabled_via_powershell.yml.tmpMD5=4D76BB18C770A12AE5D074E19C04B7C8,SHA256=EE5E0923655633B3CBABE7086A0AE495600E18829FE91DA24897320664B75230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.775{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_verclsid_runs_com.yml.tmpMD5=1E7350C4EEAA76732E987E7639CFF83D,SHA256=E7D6F0F6AB4DCB728707FB87C66A2B740440835BDDC91506FD5A63612147177A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.774{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml.tmpMD5=C36C0C0389D54CA955A6319504F7C854,SHA256=850A63897FB6B41F1F597FE5E6F6C54CD15E8C7518076EDAB9998CD5FD6C9F8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.772{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sysnative.yml.tmpMD5=B2DA8FB8B62247A8DD16A681DE9B564C,SHA256=DED73E51C9BBF45D98ED7B7B3AEF23CCE4CB7750E68BF907C71BC996AF4B00FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.770{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_proxy_execution_wuauclt.yml.tmpMD5=BCFFF04141D35FC420469056003B45E0,SHA256=0BEA3C59726C575E0F058C0E911B454DFE8CB5F61762DCB22EB186093FB3C8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.769{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_proc_wrong_parent.yml.tmpMD5=F330FE221CC44502A8DD1C8C371FEAF8,SHA256=07612869EB0C40AA5A241BE5A0D8E4F2997ECAA34CC3490DC89AC1AA92C4438D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.768{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sqlcmd_veeam_dump.yml.tmpMD5=D09B35F5A9031A7978DAA1EB1EC68C70,SHA256=EA69CFC38B5DB4A87B8DAADFEE654343DD0BBBCE197EF63032ACEEB0838FC1F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.767{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_chafer_mar18.yml.tmpMD5=22826EDE7A60426CC501D44F235E746F,SHA256=1967976AD26C0808E0A60EC986A824AB80174310CD0FB3238BB5506BFE912044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.766{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_grpconv.yml.tmpMD5=10EAFD9E909E6B7C13C64CAADB285664,SHA256=38BDDE576577929136F43392E6B8F998F96764424DDAD7A66A77FD15CEFAA597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.765{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_taskmgr_parent.yml.tmpMD5=FCD39A9BBA5A1DF8EE69AFA3DC42785E,SHA256=2FEE6A295F8B8A1A964C69C149BA00887DE8FB8A24A3031EE0A8AED68AD73B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.763{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_script_run.yml.tmpMD5=BB6688088862D10CF99F64A054550FB2,SHA256=8D5C9EE061AB74B5FA2158E1A9C543347223871D83185F8D47F27A8056D79D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.761{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_office_token_search.yml.tmpMD5=2B6E251674E13F503B41835BA4A2C106,SHA256=7597B8158BEFAE9B7AD752B8FA71F86E17666F611DF50E91124BB458F009331A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.760{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_service_dacl_modification_set_service.yml.tmpMD5=C68369220E9437188E367BFDDA796DD2,SHA256=02152E31DED0B2859AAC24E6E19D10185FB6E4C6B3EEB3BA219E650026950A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.758{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_taskkill_sep.yml.tmpMD5=FC940B268C734F9D35422F0A5ACD43EC,SHA256=D930A5A03EB020042E61E0BECEA927FD3E0E5AA391B4E706BA5D434A7E306BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.757{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_megasync.yml.tmpMD5=D91EFA20473B3EAF0CACCB8771544F48,SHA256=6A78BB9E541F103F1FF2DE3BBEE681371F7A550562FEC4963FD19C267EB5AB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.755{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dsacls_abuse_permissions.yml.tmpMD5=CAB4B04149B7FBF8D4946EDFC61F7E42,SHA256=A3EB70085228E1D037FEC6096B458A1D0E6B568621DE44B1A2CBB1ECD9D555B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.753{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_proc_dump_createdump.yml.tmpMD5=CEEAF389F901DA7CC8C97DDAA9FEE2AC,SHA256=A6B43AD39A81CA066FA4A602A087CEE32779D1F5AC9AA35FE4B3F513F5A1AA74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.751{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_certreq_download.yml.tmpMD5=2F35DFB1ED86542630B86D38EFF62EF0,SHA256=67C5FD7F30F34D33BA965C950D0C6192E11BDF7F8ED4AC67E6B95B954C077D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.749{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exfil_data_via_cli.yml.tmpMD5=2192470E375A08B66F2BA8277915BCA3,SHA256=53B4EDCD4D5BFD6A8292B7C4BADBC88FC2F605A958459B5D6014417DFA02CF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.747{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_lazarus_session_highjack.yml.tmpMD5=C41E5ECB9E4D093B367510F46AFC0EB7,SHA256=2FBE7B52F09DA0921901E2A3E7B5BE17B1FC315659F38DBE1E25CDB13F07633D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.747{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powersploit_empire_schtasks.yml.tmpMD5=00084B9A0D7A3E563ED2703A9A84E94F,SHA256=9E6164D8ED8C3EF8FDA084C5124F953EE67DA88BD91DE48896A786965F013B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.744{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dsim_remove.yml.tmpMD5=3813FC1CBA4B2C9F01D415FE1456C9DB,SHA256=A30A818CC638127A3828D2C894602B60C62A77CC01907B6C804996C960C5683B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.743{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_ta17_293a_ps.yml.tmpMD5=1DB37D85C5E581E0B935A4D9171E46F0,SHA256=283CDFAEC1385AE00138CF00AD28FAA9EDB2032426D87F6A991C778226561C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.741{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dnscmd_discovery.yml.tmpMD5=F783A4D19E36FA3D80B6731C6427C9AC,SHA256=222998B9D2976150C863B25348CA72FC1AA1156DD6C5509F7E3F1AA9ED52EB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.740{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_xordump.yml.tmpMD5=3F69912A59C9E4F2E5315B68CFAF2E66,SHA256=B97F0B55BB11FBD377837DC5255CCA2F78FD22BA9D577C07AC86784A5EBEA8BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.738{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netcat_execution.yml.tmpMD5=5548B1A65CAD3A03C533180DEC2B059B,SHA256=60CA9E48EAF33C7D1057AC689044390CA908549E5401099A7D2C2C435AF2CAD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.737{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_network_sniffing.yml.tmpMD5=E78CE577CAA6A8830D5F05325CFD2E60,SHA256=AC3D476614942B9B5EB869D91C53529C19C666B7B905054FD57709A083B885A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.735{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_schtasks_system.yml.tmpMD5=AFEAED5EB53B55172B5B2A7F336850B6,SHA256=87B60BBD19813A1B9493BBECC8D22977BBBDAA99D284D0DAD1445BF846567707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.733{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_regedit_export_critical_keys.yml.tmpMD5=A19AA1D5A81231369BB69E9ADA2F2034,SHA256=0CA71EA567DDCF877A811C70CC67D8AB6E1A05886D28F10220F64F8294278E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.731{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mshta_http.yml.tmpMD5=9D875E94102B77AFCBFAC155FD599B0A,SHA256=E0AF7288E51DF2F344D35077E1840B5665AC832C8F6EE910D3C7785C560A2582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.729{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_using_sc_to_hide_sevices.yml.tmpMD5=8D506430E04F741CC6199887FF0881C4,SHA256=4D0219F149DB7B727CC670731421D037AF1D2032EEB6667FA758116DCAF7A0DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.727{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mmc20_lateral_movement.yml.tmpMD5=6AC8486138731158DFE0D22A18462E6F,SHA256=E642BB0AA42B751086A8BAB39579AE67A04511265F652C96C0AE73B5DA4A7563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.725{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtask_creation_temp_folder.yml.tmpMD5=62137A726BEE9FEA1CB1716E51C47442,SHA256=D92AABC302981205F8711DBE533AE927ECECE960E9750E7BADA05A82FD894F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.724{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2020_1350.yml.tmpMD5=84CDD134AC242E0FC76C991EAF354198,SHA256=DE76929BE159D62EEC8BC3877886FDB8B6F08F8403DBB15F7448BEF2EF59ACB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.722{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_local_system_owner_account_discovery.yml.tmpMD5=EF9E342410219A8D005BA7C7B72A6253,SHA256=07E87C503BF4F13214F19E4F97D9A1C6EC641F2285678B65560DE7D115BC63C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.720{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_conti.yml.tmpMD5=39C73F8392430DD45CB5AA51CFD23CCA,SHA256=A581D742684FB3BF39FC658FDC839DC908990777E5D7F2157AAD392DB660024A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.719{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_headless_browser_file_download.yml.tmpMD5=D2B4FD6449569EBDE1DB48AFF3ADB6A0,SHA256=A43DE0B801BD446F6C553E5B1168DD4D7BDD14698923CD974C16C488CCE758F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.718{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_codepage_switch.yml.tmpMD5=7A950BE1A8363C86A68CC2C283255B55,SHA256=94DC22B96EFB52F50D8F8D084E3047EDB6358326390E3E175C67EEF59F7A86AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.716{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_base64_load.yml.tmpMD5=EEF23317ED0A56CA3209084986183E18,SHA256=813F161183C35726A3A2523962C3C7F8172FDF5C2C42C4AE68187ABEA516BD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.715{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_vsiisexelauncher.yml.tmpMD5=C594BD7A73E744FBBE4B11267054DE2C,SHA256=7F9E5871D320DD915D7F804F049CB2A95C64484C8A4698039F58D22D029EA597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.712{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_public_folder.yml.tmpMD5=F5CEEF4085AE8AC3E9F5DF4AFC4340B2,SHA256=76D32125B87B3BD9D4E6C27D3F63FB63153D1BB89C6FF18BBC71D103B1050895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.711{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_script_execution.yml.tmpMD5=B82BFFD686E87CB031BB593798301824,SHA256=B36688618E4E1DD914EE3795A0491F11055E2A3809E99F52B6B86EFB80EE420A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.709{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2017_11882.yml.tmpMD5=FD7CCA0C380787BF40938786255409F6,SHA256=DB20ADB176ACDE1C8DF20EB8273C43279911A4F0B4EAADACD59D8EE0EB7254A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.707{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ssh_port_forward.yml.tmpMD5=B41F9620CDCF2F7228F391804D30961B,SHA256=1A455063D1E0588745DD0FB4874FC33FF01D70C575098D14A2498773C7E27C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.707{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_dxcap.yml.tmpMD5=E098ABD2BEE37D816B8AE13168D91F6E,SHA256=F9D1EC776B2B7EFB6491195110E1C6086D8065B1DF23F636C742CFE4D7B51FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.705{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tool_psexec.yml.tmpMD5=2EEF7B9EE1CFA3BC5E4B177111172E1B,SHA256=49F90631E42D5096C4DE26E770F4BB8B4BBC6E12CEE5B9833FD549DABBF02B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.704{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_cloudhopper.yml.tmpMD5=0C15F3AE869F30591A725D0797901EAC,SHA256=E782289E4ED73346623FB056511F486322CEEDA569BC1D1DD0922272C6876C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.701{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msdt_susp_parent.yml.tmpMD5=0036D3CC0AB5D2963C6759E019C33B85,SHA256=57B57B24DC103EF0D3DECB2E1ECF85739892BFB32C4435009916D6AF507937FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.699{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_ta505_dropper.yml.tmpMD5=7EDD474227318DB980606BD61317B296,SHA256=8C82DC5142E663A8DB5BE87BD1A56E3675799AEF8D70B3A16D8CBC35FDF72DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.697{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bitsadmin_download_susp_ext.yml.tmpMD5=409B74A4126C29D81B78EFF26D02523A,SHA256=D26EEC6A50A221DDB774F0139F7C9B9C802023160775B473F0A5F605C2DE65C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.696{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_gup_download.yml.tmpMD5=19460C6C165661535CBCE257B4B03951,SHA256=20479EE0722984F3FD8828CA2325C826BAD3A09097073A4ADBB5CE54B14CEB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.694{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_empire_uac_bypass.yml.tmpMD5=E72D6C3CBEF56440591AF40F41CF0FB4,SHA256=2B6B9200A68A0571D200E94ACF429D43558CF2681DADC1E79B3CA197E334B456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.694{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_sub_processes.yml.tmpMD5=C7A5841AC43B03726A5DCBABA3B714CA,SHA256=AD61F54FBB9CDD111F7BDF43BED87F8D133CF0FAFF0DE0EBB573E96F1C478972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.692{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psloglist.yml.tmpMD5=49447F8B016125801CCABF49FA195B98,SHA256=A9DAC812074773DD24C6876146C0FAB23EF1A64C4C2DD7000657D85004B3651C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.690{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_launch_vsdevshell.yml.tmpMD5=C80884B0436D6A7AAFD3DC3472B6FB08,SHA256=3A77984B0F69C17F22DB3B380295378F3A6A7BE23B2D675061FA0FD8B579D239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.689{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_extexport.yml.tmpMD5=442D5ACF25EF3B1A6C34A9448CF8C924,SHA256=AB05370E3E35B80C3B80411CA72D879DFC4F8C88C342E65D3F0BAAB7562367F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.687{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_regsvr32_spawn_explorer.yml.tmpMD5=422068E2CDE544CEADC5BAD8375A0821,SHA256=BACB50B186788D82685867C673570A889D889A3803D6F2C3E8E5240BCF983FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.686{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_findstr_gpp_passwords.yml.tmpMD5=C6A573C75A222823EA53F75E60C6ADC5,SHA256=9134D0C907D3A27C0C060E87129683C0403B93C90C9E1362F0AB9AD3EA055B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.683{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml.tmpMD5=C8BED624D7DADE118E15EBFBC2837A5C,SHA256=300CCC1C1B8EDC2D0D8FD645B64E6E504C5B7D1DC334C4EF1941D76DE1133FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.681{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_userinit_child.yml.tmpMD5=5030FE3450B4D1D4E97911BF9779C04A,SHA256=9955B3150B4826281B732D69B8D5466964F13613028AB5E615697461BCADE52E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.679{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_whoami_anomaly.yml.tmpMD5=98F7510B8D8B2D1BB91734D881FC38FC,SHA256=567EE331C76E8059A2BF8A6C1C76E68BBC9D82A8F23093DC6E440FE1E6F882AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.678{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_parent_combo.yml.tmpMD5=8503754F6F4ACEF7464131591A607036,SHA256=34EC9EE7C799A46DB8E4595EF45615CC13E24EF5523481226F5C36C231376868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.675{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_csc_folder.yml.tmpMD5=41AAE1EAC4FC62BC33DECA11EBCAC82E,SHA256=B7C606A6A07B4313264412C8FD0B0F93835866698A8DEF36A34A8406A79426F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.673{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_netsh_dll_persistence.yml.tmpMD5=42AE38D6FF8CC7DF3AF5BF71BDD70986,SHA256=B8CE28DDBE0F04FE9A95A970B90E9C5D8FE4022FA7F1DA1F036147F6E0A3E3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.672{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_fw_enable_group_rule.yml.tmpMD5=91C3BF208CEF03F15CB995924370636F,SHA256=54F901048AA98BF5F2DC5FADE1633A7B5F77BD9DF056B7DBF2A4B28A30A93D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.669{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_diskshadow.yml.tmpMD5=A8F146829323D0310C47BBB894AE8CF2,SHA256=2F4B0CC4DF067816B1C8749E04C1E4D1EDAAAE699A367C7E9F6CEEC78107483A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.669{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_pressynkey_lolbin.yml.tmpMD5=DA0B21963C6B63F56B6201EB1A62388D,SHA256=77024D82EFEF776C513769C08CA087D461641C26AA710A5F8BED72430CCD9A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.667{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_regsvr32_remote_share.yml.tmpMD5=CF75D9AA38D40C96ABCB978016CB6789,SHA256=E9EF44B158E7BBF7A312C3E83BC32A132DC80B1BE020F780ADD8A0714F8328BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.666{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_group_recon.yml.tmpMD5=68312D9B07A5C6AEB061837B41203AA4,SHA256=44F1C2B08C9CAC4526ECE8F2F44EAA8F1AF5251DF7F8F030CD06B4115F849594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.665{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_nslookup_pwsh_download_cradle.yml.tmpMD5=1CF99674CF43E2C035676ABF2A05E337,SHA256=F841321D6A69D09B7749CB91679345D62644763FBF70DA964757C8EBB78CAB89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.663{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_muddywater_dnstunnel.yml.tmpMD5=0496B59B3ABCA321E017077D808C2109,SHA256=C3852D18834DB2D0818BB1765751357C1F9899CBFA35A3FFB2756EA0550AB268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.661{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmi_persistence_script_event_consumer.yml.tmpMD5=D011FF64C351584D6348B9F1EFDDFA76,SHA256=385C62E635904C9EE91C59AE874944F924819ECE4DFA69A413DEDF248BD9A6C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.657{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmiprvse_spawning_process.yml.tmpMD5=DCC2ED7111A46838A30E30796D399605,SHA256=52768E2295C09BF30AF810EF4EFBF70FA024EE98D58E05128C1A27AF067CFF18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.653{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_obfuscated_ip_via_cli.yml.tmpMD5=8066E82AF6AE6832D9A41C187DA2D7D4,SHA256=340E902AF1DFB5CD997654051F539FF2181886A3EA5BA86718F04FA5C6F39C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.651{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_advancedrun_priv_user.yml.tmpMD5=ED9EF85653294CDDBD8A475BF07B6362,SHA256=AE879E9BF0823E35BAF91D871B35B2B4A39DF1F545A426967C973E5AFCD7E660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.650{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_shadowcopy_deletion_via_powershell.yml.tmpMD5=3602AEBB4410E2EAAE3D384FBC8D2EB2,SHA256=DDFC7AE67E2256BFF464ABA313D080974C50817325E60ABE19E7EFA37E4A0759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.648{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_ttdinject.yml.tmpMD5=5FA0A51279454A4F78B8346ABD3074E9,SHA256=2FF4EBF362979627DF3C95B37767A2D539D8B90003BB03A4A6EC7D775271374A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.647{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_devtoolslauncher.yml.tmpMD5=DF01A7F952AC4D74069A13CE951F2086,SHA256=0265F03176C919ED7AC625AEE50B1096737C4A083654E4418EE5A4CCAB44CD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.645{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_screenconnect.yml.tmpMD5=9DECA63F7774A713CC1AE98322698EAF,SHA256=906AC0E7E1608F3446DE112F762B4E4D7B001E920B35CD77D33CEF517CC72CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.643{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sc_delete_av_services.yml.tmpMD5=2C674CA3E4DAE369F4F7288A580E8FD7,SHA256=FB98630DDE53979D75F1E660D17CF4961322EA70A5B1D7D3080688C72C323305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.641{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_remote_command.yml.tmpMD5=CE9AE2B7CD5875E0982A57343496EEE3,SHA256=6E62BB389E2A319AE3E030870D65AE68B89E8576F7B8DB738D50E41FAD28F5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.639{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_delete.yml.tmpMD5=AA939B9C93300755DD453117F9B85AFC,SHA256=23E43B70CDEE3AE12AF4607A932FF2E78E4A7349F1B22F48AA5BAC49E9358CFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.637{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_mounted_share_deletion.yml.tmpMD5=2847874834F4A869C8198A6846A6221A,SHA256=64FCE74FB2CC631E662D038E8A9C5BEC35D5D20D6907D9F95407B188C3BCA2DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.635{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_ryuk.yml.tmpMD5=BD908CB4082FFD53AD3EC54047C9DACA,SHA256=A179FA739086F035CDBA6044DD8F590E2930452D19C0E81EDA49696443D34A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.632{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tool_nircmd_as_system.yml.tmpMD5=62E0FE2E69067909A32DF7AD84466C63,SHA256=23DDB35634FD493360A27D92D523EB2EAA11D45AEC82B7BF151B41E279DA362C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.630{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_tropictrooper.yml.tmpMD5=B4B4F79FC31EFDA829FD371C39EF450E,SHA256=B49DE59F21C8206D02303B1C5A08612F9FAB2531442BC5F91F87E22AEE346A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.629{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_wmic_execution.yml.tmpMD5=157CDED64152E08FB0F7D4C11E46749E,SHA256=C2DE78CC90DB3E47C4C2FE858F995E4AF8B36F9FDC28298FC54A6BCC109FB0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.627{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_use_of_sqlps_bin.yml.tmpMD5=9E7543DDA47CCA6AF929D44CF3E232FB,SHA256=5B70A2D5CA8E48FACA66A103147707F3AFA2FEFB1E0688EF5E4D79F2E098770A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.626{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_bash.yml.tmpMD5=A0F94193DF4BC1612681F99739FE5058,SHA256=5267FF7241C976A34E01DB53C7A5514773FBB9A694EA11EC401A1AB43C111E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.625{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_machineguid.yml.tmpMD5=30F22B11E5197CB61645125E48AB46D9,SHA256=EB0232D98E5372BFF5745F810B5DCFFDF79CCCF7EB6C0F912D6E11EE8341BAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.622{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_mshta_execution.yml.tmpMD5=5764FA9782948959C63C0424A2DA5EC8,SHA256=92F532726591CB1448DAA8C760BFD2F12546E3791EB72D4508BF675F0B60940A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.621{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_servu_process_pattern.yml.tmpMD5=540C5594B32D3F13352554C0AB75F85B,SHA256=0FB9AAFF777F933CF642F61C21F2D65BD7E02377AC9AF86D8F09B0F6B343BE10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.619{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_curl_download.yml.tmpMD5=C42929A7F768A5C339CDD3154BBCD8AB,SHA256=A4A2C59E1CB874C8B2C7686C41CD7C1B59382B6F72DCB9BE5D247DF43C7D8852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.617{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_change_default_file_assoc_susp.yml.tmpMD5=79E31745090D21BD20357EE91E2F19C2,SHA256=2D69C703CF0998B03AE6E5EAABBC8A076C0E5A8C725B37496EFC04017E4DF137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.617{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_service_stop.yml.tmpMD5=C6F6715C19676DA5C3E15C5FF500A0BC,SHA256=E2CF8EF3D4AD654C0E504D8AF2AE52B44393EFBF0F4C52175B936107CB5FC01E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.615{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_reg_add.yml.tmpMD5=356E9CD6607D697EF3835AF93271BEF6,SHA256=EB676156651DB76EB4CB5DE2D198322BAC4C1BC6FC1BAE9E945D0E1768936484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.612{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_changepk_slui.yml.tmpMD5=DE5E59D1B92A5285CEE4836DF3CCA28D,SHA256=65C3C1B1BF205DA85602C0CDD99900C7B3BE5FF76672A92832B1107ACFEC6A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.610{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_regsvr32_flags_anomaly.yml.tmpMD5=DE7725B920651CDC57FB0F334EB859E8,SHA256=D0800B7D9E31FED11086B166B3B85B45E4E72707777E10272A2434614DAD3C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.607{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_nltest_recon.yml.tmpMD5=EF7E8FD73B87DCD6D51EBB11E3CA9B3E,SHA256=B751FA38D3837A5249DFD3DD86ECCE78BC068B2127B538E7A1E456B8F849908B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.605{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_pcwrun_follina.yml.tmpMD5=2545FB66D3DA1917B892FE0E37643007,SHA256=83991CC0EE56B7A1B4F317B424FB3D20EA054FEC5C9326F3098991A46F932BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.605{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_defender_base64.yml.tmpMD5=1A36610CF4E29BFA183A1D3031F3E27A,SHA256=8129ED084F6DE63D5A0247429FD0A3DEF5C013DAF0AD001F358F05AD3D321CDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.604{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_reconnaissance.yml.tmpMD5=9955C8782F1EE1F5FD4137BD0AF53210,SHA256=37AE2E2E87FBAFEA16F98DC1357EECC2E8F4FCDA5051C59CB75DB69C5F9B11CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.602{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_eventlog_clear.yml.tmpMD5=71705F1C7951052E70CDA918BFD0E10B,SHA256=5F442A2BA1AEECEF9EF5BEBE3635B25A8AE918116D6234095729927958D0DC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.601{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_download_office_domain.yml.tmpMD5=2267254584D7142142ED1D8C3821A0A2,SHA256=41294FF5DF00F4231FD70C68B274BE442E7447624A7E3B008AC3DBBB2ED958D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.599{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_computer_discovery_get_adcomputer.yml.tmpMD5=42A99BD0F7798F1117AE3DE4FFF61BC0,SHA256=CE9D28E58304B1BCA9CBFAF293F7E60EE7A224DD42F944BF346566BAEC175EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.597{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_service.yml.tmpMD5=EA8BB234A44AEBCA5D08CBFAB6F9E130,SHA256=367E328702C4C4BF1E47A6B2C8F53AD5633521545A4DE73E0F280C233C787B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.596{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_cmdline_susp_comb_methods.yml.tmpMD5=83FB9DE822DCB1E2C5CA19877E621CDB,SHA256=B9ED78701A3315036AE62EBF5BC64C2F9BA331E6E261CDF7A49D690FC50F9423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.596{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_defender_disable_feature.yml.tmpMD5=B7312CD2BC110A4474377C305094E73F,SHA256=80EEE990DA0245A4B86357F1180E82FD7BB7517C76197856455B7160FC5E12E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.593{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_process_dump_rundll32_comsvcs.yml.tmpMD5=418A283CDD9F25270CCDD5144119148D,SHA256=37DED14C92C227EF04B1D4B9F660ED57ED6BE47774F70D334FF58CB6C4F59B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.592{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_fsutil_drive_enumeration.yml.tmpMD5=FA2A3845683AFC48F5FBF67F9243012B,SHA256=D2F8B00017F5F61C987E4FDB145B02D1EE6CBEB759235A45AFBDCDC2BF6E67CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.589{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_download_cradles.yml.tmpMD5=0685BC10BF730A0230A0D51B2FB476D9,SHA256=933CA03844EF2EA08F381BAE41545925D69A3B731AB02A9C49D8532B27AE43D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.587{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_equationgroup_dll_u_load.yml.tmpMD5=79509DD2AB702E60655D03FD0123976C,SHA256=14BEF250EC5F6281CA91E3CEBA80344C73740E8CD4F087862609EC5D3AD32AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.585{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mshta_javascript.yml.tmpMD5=F434F843669B9C0BD9752A73136E7DD7,SHA256=C202D73BF6F12F8CBBEED0A21BC79D1CBEBA60242DD499F4E905F51B1788E2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.583{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_port_fwd_3389.yml.tmpMD5=EF1818D5AB4A6EA4C33EEE3E4BCAC313,SHA256=ABE7A1EF677FC03C5E02D71E7B2B767EF25DA82054F640111079A6870FF17231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.579{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psexex_paexec_flags.yml.tmpMD5=D9323BD323236A4940C79B14B37ADE03,SHA256=8067B69B226E007A344D0896057DE9D89BF5FF39818C17EEF774AD7C0DDAC7A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.577{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_wmic_proc_create.yml.tmpMD5=8A8D740BEB3C67D3A0D2D505098A9E71,SHA256=5C378FED718482218AB5107704A09939B123C28E8FADB46CA839A9B5AA524B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.575{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_conhost.yml.tmpMD5=BC254110CC819D5836D73BD20F273D64,SHA256=A7D8CB396291D2969EB7048D3FE3BA139D4A20A2F458F6715818E7313DEB46BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.573{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_winzip.yml.tmpMD5=E9216FAA6502DF3982A6AED1AB680300,SHA256=C6AB5660B78AD6EADB0EFEB125BF97934F545A64E343FA7395580797B367969C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.573{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_accesschk_usage_after_priv_escalation.yml.tmpMD5=6F659F8B49A7EE4CAA7084A156DEFBE3,SHA256=FDAF8A0E445512D8044D33BB790B8FDAB39B14AB5D7F23C0EAC49C27A4D45E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.571{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_babyshark.yml.tmpMD5=C35000FC7FA17B541F780CCD4EB2152D,SHA256=96BAF90425054FFD528BAB7E600EDA08A1B746534595F96F8CEF3BE80688F763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.570{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_detecting_fake_instances_of_hxtsr.yml.tmpMD5=8728B38B137C17FDCF18DC810E3A2469,SHA256=38449F9782B96D73B449892AFE48013C852043073A247319CE3667848B1A1821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.568{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_run_powershell_script_from_ads.yml.tmpMD5=24CD2DD00AA0AE992A22DBC301B93158,SHA256=107B8FB52F17D8C47F6B61E7589E8326D80F3772268549D19D15A7FB2F6675CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.567{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_settingsynchost.yml.tmpMD5=09A8E8653BF0DE3D67AED9CAAE12D83B,SHA256=3D6B5ADA57E5739F65F1882CBDC3816EE3166E78A45E55F4739DCD6688AFCC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.566{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_finger_usage.yml.tmpMD5=3D7F34B706B7904CFA5F7ED0339E1BFE,SHA256=7B0C9938DDA57B3410D1B0A2118C1AAA53D82992D550F04428B5CE709E134C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.564{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_modif_of_services_for_via_commandline.yml.tmpMD5=9B7223BD39CDB2E79493D5369945E216,SHA256=C0DD559F67E914636FF2A59CB088FFF11EF1AFC5708EAF9D6DC82CB2AE336F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.563{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_crackmapexec_patterns.yml.tmpMD5=21595545DFC46D1368B84E9D1419EBDD,SHA256=5CAC5C427C9A237451A794B554D376D5847C3E97013C231D60D653243ADE0C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.561{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lsass_dump.yml.tmpMD5=1B677E94244B29559DA0DB1AC01027E2,SHA256=9F16650A1B99AC684F41A642A172FD7E993C4219CE16A786175E5BED8172ED54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.556{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_vmnat.yml.tmpMD5=AE0BDB461EEBD9B57C2E9FDEF8624E08,SHA256=0BB6A128694EEBFF88C1AF9B060A38F361EA1FC3F6AAE098126E637C8AF63FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.553{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_software_discovery.yml.tmpMD5=7EB62ED6B436A5DC3C7DCE9D1017B868,SHA256=7D169AB29D587BDC12439F10AE8E3AF13063204ED2B21924A981AFBEE3E23B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.551{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_bluemashroom.yml.tmpMD5=8FF56E716F57EE0CD392FD93C6AAFBB6,SHA256=D9497013540CCCDCB35F16C8CB2EAF23D10A5BCF74D7C94B617D9533B55B9EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.549{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml.tmpMD5=8B2989A2FF16A7D3B6FB941CE2657917,SHA256=B7F6E84FF31F1C7A64CBB0CD2AA1534E70111D97C892921830088191C7A2B036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.548{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7ADCB9495EA82E6826FEAFC651B98E2,SHA256=3C49E3B82E01150DC21090D300E76FCB5A3316936929FDB30BA1CCC33521F137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.547{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ssh_usage.yml.tmpMD5=E2DDE07F5DCE3F3EA52B46F6F823FFDD,SHA256=63EBE1BD26FC0A4D8523EE0A415A2DBBA15AE663C6AA4C3E462FF5FD418739A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.544{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_reg_open_command.yml.tmpMD5=095F74CD50CF2343EB3BCFC445EB0216,SHA256=B9EABDD791067C84F87DB514B995DF80674961DE895847986B399EE262E923E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.542{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_builtin_commands_recon.yml.tmpMD5=B8C8E2FD970631A13022237FC5C5157E,SHA256=3D3AFB0EBAEE3431604B8768D85F50DD25953581BD2DC39B6183B48C70C670A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.540{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mal_hermetic_wiper_activity.yml.tmpMD5=5EC8EBC4B839582E39438C64140C3966,SHA256=8472A1DA920F11B68C529B2F273711ED7B1809E0765AA6FF9920D8B8E50E7FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.538{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mal_blue_mockingbird.yml.tmpMD5=39916C631FD2A14B711D7FF9068A8306,SHA256=1B36B17B41BD22EB796B366395240EF79BB1AADC9FA5704B5D9130A63FA474A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.537{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_guid_task_name.yml.tmpMD5=E38B61B66BE13EBCD80DCB71F7620315,SHA256=9E6A8F81095E3345EB6827BC8C92077BE8FA2457CE070BCEDD0AC30848C6E748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.535{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_credential_acquisition_registry_hive_dumping.yml.tmpMD5=7D0D6E4D477677EB3AE658118CBF9617,SHA256=CCE13F73C6A2B51307339E071BDD8830AF8EB5888F0FA7411856EFF40537EF44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.534{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_tttracer_mod_load.yml.tmpMD5=4B0CB3FE6C69C608E35FE00568CC7126,SHA256=F99464A00A65FCE1510BC51855EEF291FA26D1BC6C78A4936CAA98AAE45366AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.532{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_cscript_gathernetworkinfo.yml.tmpMD5=5595E4F666574A50037F47DC9C2C7D51,SHA256=BF52C7541F1297FC3D8703FBAD6D61D786E469F424682FC1AFB327C9DCFD3E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.530{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_conhost_option.yml.tmpMD5=332F79E2098AD0174E80FCD5C00000EE,SHA256=80651A11ED832A3F189BD95977362FBECE91067DD7779DBB48447671818D158F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.528{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dns_exfiltration_tools_execution.yml.tmpMD5=79E8ABBB0F4BBDFF7D15A5EAC1DEA51E,SHA256=1C5D54BA5093C141EEE9955AAE30265013A26779B5DEE3F7643D0A01824ED9D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.526{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ps_encoded_obfusc.yml.tmpMD5=77A8BE0E05CAA652A1CECC6753B00719,SHA256=3F326B692A50F9A1B6AF559DEBC560F827095E7CE046DFD36D64AE9A2F1D974A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.524{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_ftp.yml.tmpMD5=D0B45493A289695888CA0427B94A9867,SHA256=316A5215F0C60ACBF65DF7C990668C86A68BB294B7E40487D470C3BECA6D25FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.522{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_keymgr.yml.tmpMD5=A5BAF9BAD70CD60CF4C3EEB3DEE23622,SHA256=83C69A8A6B9480524BC3887CECCFE3D1F0D5FD81CEFE2A62909EDDF9B8ABC6C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.521{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-064MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.521{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_cipher.yml.tmpMD5=7B87D8A03867A1839AFAE7D52120DECE,SHA256=E8AAC2D0318C5ADAF09EBFACF27DD2AD283C2DD7971C9B30663CF42DE9C5903E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.519{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_cl_invocation.yml.tmpMD5=57A08963EEFCF4922BE95C9B17E65D38,SHA256=B06B33DF55080C25E29DFAC6F05A9C68B13ABA87C787A5D81E25DAAFE55E419D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.516{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_svchost_no_cli.yml.tmpMD5=734124FF71445B73407439B69052A684,SHA256=0B1189DC17F364CAB4A2B4B7EA1BD4437B1AA5F02AC58C9185E79475B64D3E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.515{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mal_lockergoga_ransomware.yml.tmpMD5=905093E5C12460DC99326DC09ACA4502,SHA256=26F9748D9CD4D4E5B2CCB8235A7F612A470F0CA9F6336AB8CFFE99D7BFABC098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.513{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_cmd_patterns.yml.tmpMD5=091DD126BA989CE77859746979E4B02D,SHA256=C072ADB64A0CC47C176D0AA05B8B14B76839FB45BC36670D7A77E591EDBEC21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.511{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_quarks_pwdump.yml.tmpMD5=84B3C5D137915B4D828936FE4CF9E7EC,SHA256=DE00CBE7AAFDBDFF6AA4AE4B2132DA1FDF3F77B45AF837B9789A4BB4E7524BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.510{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_via_use_mhsta.yml.tmpMD5=2964048B90C5E1903BA5211FB24470ED,SHA256=B4DEE680B4748AA2A6CD0BB53F65DA10B66BF5BB80995A862440BB30859F5752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.508{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_schtasks_appdata_local_system.yml.tmpMD5=E3360BD2530F9FF0225024B9FDEFB220,SHA256=80D176168EA0257915725327D1EC25A19904B99D99F9C1E2371215DFF437C361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.507{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_gup.yml.tmpMD5=E00D569D9BCC44192C73A727C42D905C,SHA256=C0DAF659AB6DF24BD796EC2962D11E590A451E13D5AE792352AF41EA74565D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.505{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_print.yml.tmpMD5=A5E83CB0A9AB46D8FAA82E29B4B57415,SHA256=6ACE014E84EEEBD7D5EA6058618958C72B298B274839D93F198412164BD05455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.503{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_hydra.yml.tmpMD5=B013EC533710FFC19408673DB9AC83F6,SHA256=9BBA2588B27D8AF648B636B7D8FA96046097B075F841F682053E9649163EA9CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.501{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_shellexec_rundll_usage.yml.tmpMD5=70BF0B4F43C3A91CA1D6D05D6111C6AB,SHA256=D7CE3E1FD1680066CE1909F9E76A9B3C749AE8A82C52A3F9ED05824826CB13CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.500{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_download.yml.tmpMD5=62D889B8372169341AC86EB9E0B8633F,SHA256=850635004B93FB531659C602CB2AE4EBDB765C7899293A7EDF77BE586F542EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.498{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_fsharp_interpreters.yml.tmpMD5=D3243FF1F083DDD867D0D412A619BCF7,SHA256=B4EFFFD82DDB455E495E52346361DAA23B105CFAA6B7D21AFB397DEFD2F0A6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.497{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_rdp_hijack_shadowing.yml.tmpMD5=D476B1258A864ABF02726BDFFED810BD,SHA256=296055B9866B3DE43BD82D58D8B8B2A22667FF7B4D0737B84FE9D563DAB9D2AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000841408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.497{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-241F-6387-9502-000000009802}3300C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.496{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-241F-6387-9502-000000009802}3300C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000841406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.494{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_iis_service_account_password_dumped.yml.tmpMD5=6338CAC71124D5688C19A761F93C169C,SHA256=1FB8E30D3AF972250897CEA40D50F3492C9A90D77718A683FED92F8E9B82119E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.493{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_redirect_local_admin_share.yml.tmpMD5=63245757892AAFBD84934B201AA9C6C7,SHA256=60BF8630C80174D85600C965DBADBFEBE41F11B11A979DD93985C51D7DCBCAF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.488{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_apt29_thinktanks.yml.tmpMD5=AA5AFDAC8550A220628E18E022DFA9D7,SHA256=B5E9626E81A8B45F07D5B1B776142B4EEC970B313849D2DC338EC4951F9EF228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.486{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_msdt_answer_file.yml.tmpMD5=ECEC844D094221953DDE9193474CF84E,SHA256=C077DC9758A4A0AE7BE8BA1B2D02851D042E59ED62EF9E9609377C925B8B52D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.485{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_net_user_add_never_expire.yml.tmpMD5=6849561DA25F4C99FD7DDD029DF831D8,SHA256=8885354888A3212D897B76C182E358C93B9D62F6E7E1F6EFD7B468DD891B572B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.482{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_wsreset.yml.tmpMD5=94C4479247912967002449510C235054,SHA256=74AD83CB1123558202994133218CE9C7723361A6434F6CF2E4E962CE41FA320C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.480{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_non_interactive_powershell.yml.tmpMD5=9D1B080616246316A9225CEE48540F9E,SHA256=9D8E1F91FACDC6DC424C3F625E0EB8355E2B8F336476FD305BB90038D23CA17D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.477{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_msoffice.yml.tmpMD5=888393E953979FF06C6265F049AB4012,SHA256=C744EEC1241004F0C58D974CE4A9CD8CC729A8973FAD94DD4D70D4DDD01A144E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.474{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_plugx_susp_exe_locations.yml.tmpMD5=44B4F18B1783C0698DE3C733721AFB84,SHA256=B845DED45CEC512CF2CB1B4593EB7292FAA6363E658DECD4B6008239E572FDE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.471{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_abusing_debug_privilege.yml.tmpMD5=3C1C9C81398203F052DEC7D3D9B23622,SHA256=EE9DBD38B6FE4742CC5CBB5E8E7EDDD8E6DB55643B3ECE2877543ED2CEACA3B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.469{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_wsreset_integrity_level.yml.tmpMD5=DEFB6AA795BD2A3186210F3509EECCB0,SHA256=F7B729DD4DE90E7ABD61372925128D72EC4047B61E6583C0A1F57BEAE7F68675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.467{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ntds.yml.tmpMD5=7AAF5BBD23CA055130EB58E8D6C355BF,SHA256=7E04976A2734230CB0FFE53D599F3CAF8169AEDFE76231FD7A023B324BD07875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.465{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_import_cert_susp_locations.yml.tmpMD5=BB24F3266789E72A9E1B7BA5A40C850B,SHA256=3E30C5BEAE1B9CE5AD07FD8FA700F6173B3267E1406239ADA2E7ED2CF312DBBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.462{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_trickbot_wermgr.yml.tmpMD5=0D70411E5142A078DDEF7FE14DC277E1,SHA256=EB737FC954F276ACE16CED5400A4737F7DA84027244EEF1ED4A3E751C8E560B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.460{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_office_dir_traversal_cli.yml.tmpMD5=D15FCB10DADBFF0EEB0B1BCA546970BC,SHA256=261FB432A1AA42C847598FDD36D9CA42BA622A197D9A3844123FE40B40E99D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.457{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_via_rundll.yml.tmpMD5=52E6150B6F5AE6F3D2695CCDAFAFD487,SHA256=0BEB1D9F5FC4A50EFA6049AD0C500498A28E916B3D1F16C44706D3B7085EC17F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.453{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_high_integrity_sdclt.yml.tmpMD5=FA42F90502AC27E70815BFA04B520249,SHA256=7D186367074810E75833EDB1D7FDFE93CABBE86F03FEFFD59AC3651639F0D00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.451{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_lsass_clone.yml.tmpMD5=07D3935039CAE47EC2C5D943466524BA,SHA256=9216142E0943AAE02C168D4A23F4BFECBAE98F6459BA2965F4BF3E723B5AE1CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.448{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ntdsutil_usage.yml.tmpMD5=9E8D8BF5EA676BA17B76E68E31C8DADD,SHA256=7E1A2F095D3D1F6FE703FFA2684746D84EC95884110D6473B0B981AE8546CC5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.447{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_razorinstaller_explorer.yml.tmpMD5=9E54C19DF877865A5821B5B5E43B49A4,SHA256=C9947263871021834EC01C348AD0E601F2C9EBD6251C8F71927E2B19B6882C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.445{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_taskmgr_localsystem.yml.tmpMD5=51E2655C00C1996846675E3F3330507F,SHA256=2F0FA15E73CE8D8AA16127FF92FE4D02924DC5C99C616BEA1E3F769E44BFBE36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.443{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_cli_escape.yml.tmpMD5=520F9A0645AEDFA123BEEA5F2ED2D70B,SHA256=4652EBF464F3C31A64E96B01DB95D5B275AE2088D7786DC7E4589FE1A0C4A0BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.442{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_b64_shellcode.yml.tmpMD5=820EB4BF1807446D68B588EB65210AC6,SHA256=1986F6021392763729E100C8E46DEEC6F8A6C9DD16BAD2846FCD13F804E54057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.439{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_run_virtualbox.yml.tmpMD5=B31E9D65ECFD76CA65896624E4BC983A,SHA256=795600E7661476B0DFB327B3A909D4A57D24B14B7F58F655C402F1E9AADC8E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.437{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_dctask64_proc_inject.yml.tmpMD5=10DCCB6D95C322F14A9B0BCBDA2E5C5F,SHA256=01292FCC2D8A05969D1B85D4F81B0F2DEEA7DFBC988ADD729F27835F4244DFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.433{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_fw_add_susp_image.yml.tmpMD5=911478D730232B9B3F7339C16D39976E,SHA256=A72E23776F1966DE35FDD98965D6911830F4AC7E56FC9F9FA2831543F4AC3975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.431{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_mofcomp_execution.yml.tmpMD5=2365E9F1F111B1C1CD1E14155DA81C4B,SHA256=8F12EF5A3A4CCFFB02EF2D7BE5997547A21081D2182FB5DD5336905B3440465E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.428{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_dll_sideload_xwizard.yml.tmpMD5=69373C9918BFB4A4840CCCD68DD53753,SHA256=B8DDF40D6390E90A69776DCB7E40D6C091306DC8BD848EA3663B70CB0E50FE73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.427{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmd_redirection_susp_folder.yml.tmpMD5=7EBC2ADA65CDF991AEFC1403A54D8C5A,SHA256=56A57880DF450E177068D5301F329F1162BE6603575BC016F6C47729C3670C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.425{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sharpup.yml.tmpMD5=31086B2B0F8EFDA18B15A6729880822B,SHA256=1B7FD9F03D47A30B1F6A3FA25835FDE68EDA92FE899BE78EE2B3FC7612C2E7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.422{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_krbrelayup.yml.tmpMD5=8AABBA6E858C6968DD5CAACDCB8769B6,SHA256=A877AE7D9C42CE538DBAFB73FC2ADED8E570E92AD42BC58ADE1833A26BAD611D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.419{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_browser_remote_debugging.yml.tmpMD5=C0201D195050F05C53AF7F3C578E800A,SHA256=195C3FFF89FEC820D1E82F9FF19BD446459D45565943EFF9DB7785032B1C4C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.415{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_crime_maze_ransomware.yml.tmpMD5=268E12E058F0B16580C26E1F55AEAD01,SHA256=F18C1E5AD8758325A54BFF7D382E37FE55E3F1FB028A9FA835F61A9C6D8428E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000841373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.413{8A63456F-1471-6387-1600-000000009802}12804312C:\Windows\system32\svchost.exe{8A63456F-241F-6387-9502-000000009802}3300C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.413{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-241F-6387-9502-000000009802}3300C:\Windows\System32\mobsync.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000841371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.412{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_manage_bde_lolbas.yml.tmpMD5=A439B8A1DD9FA1BC9AB3B26AA808411D,SHA256=F2381E1BF2C879A191725DD09F3FCED02A5F42998B3EC38EDE874984D5751792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.411{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_format.yml.tmpMD5=15899FB9FF949D514271E47F5AA9FDA7,SHA256=336E5677D949C6EEDED5F93774E12961E3C84443567D1562D2F45FD74CB229D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.408{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_cmd_shadowcopy_access.yml.tmpMD5=B5C9F991AA98437F829F04342A1EC6AC,SHA256=37F01D1C6FB41F38C1BBB261AC158ACC660A569C41F1A19E8780B363DC1F0180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.408{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0314BE6D54FAFE88A192ADEB17E9F4F,SHA256=93EA8C35214A2D3D9184E764F688C8ED89EC9C4464CD5B77F7076C9F1FA9F385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.405{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_sigverif.yml.tmpMD5=48F9507F580906C1B035B4D1B5AF2A3F,SHA256=E38A78612F1885CFB55A42B18D66A10D7E385F0E47F5F8A70B6DB87BBDA1856A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.401{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_schedule_type_system.yml.tmpMD5=49CB1F295C2CD040932D0B6CCA73A329,SHA256=BE852A477B239F3B82188E41A622B3620103B9CE9706F21CD906D66767877687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.397{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hacktool_imphashes.yml.tmpMD5=2D896076DA8B876FFE7C9DECA1D97BCC,SHA256=D45504814C8CFDB650211EA37F8BD26E7500F262C3A2397FD612A329F1F231B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000841364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.397{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-241F-6387-9502-000000009802}3300C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000841363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.394{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml.tmpMD5=4CF0FA445B61617C445A4A75D6BACE59,SHA256=092131E1E8ABD8A565431C0131D228AD08ECBF2E56AC5F2DA4281E4E30E3C1CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.392{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_gpresult.yml.tmpMD5=0A66C151950A6F6211F4A42297E30378,SHA256=D6EA7D59EFE572D1527958FAF6CE2AF31D01175E79B987953C7F0B3946715FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.391{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dinjector.yml.tmpMD5=D048282171C146FAF5C6526FCFC39E21,SHA256=AE8A90F410A4F4B3265ACEECDA2303CAD973893900AAD6EAC92FFD2088B21D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.389{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_copying_sensitive_files_with_credential_data.yml.tmpMD5=E7F6D3F60E14DB8E14B7D5C1120BAE97,SHA256=1D99ECB13038BA242080B2BDB0979391C89E641F2328CFE6513FA0BA619E006E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.387{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_commandline_chars.yml.tmpMD5=28ADF8A6786DC8362C622657B9B29BE3,SHA256=A0B5FAD940704EBBA02C4551AC9CE87E533DF5C82BD8098C666CC8CC5C760572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.385{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_base64_reflective_assembly_load.yml.tmpMD5=DE1DB10102CE5FCC9F2F5C6FB997E899,SHA256=8EC85FA8BD81231963D7BA353F1981DC09C29BE9A70DC28F423EB37234589555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.382{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_wuauclt_cmdline.yml.tmpMD5=80B251D0F104E57714A31AC0AA024865,SHA256=5F7E939E7192606AA3E55DBC105201DBA27B8375CE7189F4BBA03A4371CE948D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.380{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msiexec_dll.yml.tmpMD5=172E06E3167B05901CAF423C77CD7A7F,SHA256=63AE8DCB5940EC6EB041FE74B77731C10FC8084B1855DB958F757BDE00B9FB5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.379{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_safetykatz.yml.tmpMD5=7248A16E85A1C84D81C979CEEAAE2CE9,SHA256=99C9B70FBB50182469B030EEACA7F44AF0637FE6179236B178F2EED8FE6A028D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.377{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rar_flags.yml.tmpMD5=398E4A0404876167706803B94221145A,SHA256=0C3C54354D760403A6E55EFF4143B7D2FF4D5C7555FB60B1F25BCD63F0BF1647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.375{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_non_priv_reg_or_ps.yml.tmpMD5=04314845ABFF10822AE65BA010026D09,SHA256=92AC2EFB9DB1E7AC3B71CFA9ED9245B1E253962602EB5E7BE83EE7E29A4F8A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.373{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_net_use_password_plaintext.yml.tmpMD5=3114827DCFC0FB70B768B9BB3F1E08E1,SHA256=59008BD81DDFBDB19E236E31D1EB77F837768A7B96BE3E7DBEA3B51DA8E6E80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.371{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_selectmyparent.yml.tmpMD5=8D9E688EF70CEBB31BCF2034B98E6E22,SHA256=30E781573826C75A9F7B90315FD383E975FAE98A950D107C9F787BC96BD376A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.371{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_long_powershell_commandline.yml.tmpMD5=BA370476B1FEF9F322CCDA0BE615ECE3,SHA256=904C2E628A4D509875A2A8D95CE086C0BABFCF484904CBA84715508E77F77617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.368{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msdt_susp_cab_options.yml.tmpMD5=9E3BB30B960DA6DE81C58EAE9EE64A86,SHA256=F3E38043EE12AEA4E7A8CB814C95289FDC929B16AE2E90649A761D2D51C347F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.367{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wab_execution_from_non_default_location.yml.tmpMD5=879143AF16785B26A93B3F9DDBEDF677,SHA256=FBE72819F85C2CFFCEB69487DC2ECC2C0DAD6C6B7DDCCA0C87C60DFBD0B3E39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.365{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmstp_execution_by_creation.yml.tmpMD5=B3A8665907E47CE7E2CBF23DA9F419E1,SHA256=4676017C3B094D0803118B62AE1F38D89B9B23A110CB63478A3E44B4A073E84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.363{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tor_browser.yml.tmpMD5=FE504FD3B9EFEFB5C0E0FBF3BC774566,SHA256=AFA606D92951767D3BADB6963BB2879B1142DA5CE649B122AF0251A832FCCF2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.356{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_fsutil_symlinkevaluation.yml.tmpMD5=5999690C987FDC6BD5848EBE28DC057D,SHA256=5BFF0CDB2C4C26D0BF61AB219B331D7BD01685B873DB4CF1111F08ACDD7762B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.354{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_rundll32.yml.tmpMD5=B6FD53AF42213340979B6B731AF7918E,SHA256=437A65EA6C9AE58F934F25A5E78BA09E86B1261CED6B9B5F8DA6060D192973ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.351{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_webbrowserpassview.yml.tmpMD5=3FA1D27FC0C58A870060763DB4314E0A,SHA256=0F1D4D5658F8D29C6E215EF7FE05D1DCE0CF25B3A007EEDF003619ABBC8B9AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.348{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_enumeration_for_credentials_in_registry.yml.tmpMD5=A5D99B821FF3CF0D79DC8F7274267223,SHA256=7AD609953209AC1A8D42D531316DEDE80D0236A9866DE47F5D0FBF7667517A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.342{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bitsadmin_download_susp_ip.yml.tmpMD5=ABD78E01D6F1AF11A191660C8416B3DB,SHA256=7C3B43675A6CE6E54288CC1F9A661534378C492F9E9C57DDBD0B0B0B87610C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.341{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_change.yml.tmpMD5=98084478F0F0D6E7DAE14C7CEB4520F2,SHA256=561FDE69856E7A46CEF96E84DF292FDD0816C9320F1DC3A59E118994FCAA608D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.332{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_zxshell.yml.tmpMD5=D49AA538E2AF1355E6409EA28F012A7A,SHA256=EF88C59581A8DB520D80A619BB6C37CAFB090F807B206DAA4009D655B241C586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.329{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_icmluautil.yml.tmpMD5=CC7400CFA313B3263A166828A00185C0,SHA256=0A0845C41E9897B3AC004FD01E0934B6E97FE0EACDE41E5ACE389CDFEC1F1A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.327{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_ntfs_reparse_point.yml.tmpMD5=87E44F531DE0561E233E8A9C8122EACE,SHA256=26F18D5D017A37093DD18BDEF7033A47C098F5D17FA693042294912348D63E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.324{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_kavremover.yml.tmpMD5=313B17C2E29972AA168BB5F6232E8B1C,SHA256=76B368E1BD749CC6443CCC696A61D3711A38642612FBB954A4F0F82D647672C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.322{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_proc_dump_dumpminitool.yml.tmpMD5=84BFE89D81B6ED494EB34E0306BCEC85,SHA256=1CB9B377ECC7E41CDB414C2DE0602FADB1AFF0145E35211E228372E184DD66F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.320{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_rundll32_parent_explorer.yml.tmpMD5=030C336ECFC9BB44C3EAB974D397D666,SHA256=6F8A16140A8A32D08E8C488C1EC2971E30B2087FD8E1151AEAB0592A821C0AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.319{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tools_relay_attacks.yml.tmpMD5=4B24C3FE6DE5C56F9422E373A9306642,SHA256=630A6ACCB097D661D44BF4577A9C3DFA3D3B6204F3B714810FE38D147CF83BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.317{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_run_executable_invalid_extension.yml.tmpMD5=C8760D20DB41A19B8D6D657A7525182E,SHA256=4B831209BFEE6DEC4FC0A0644F734A68E7B2722941DC4A2B1C90B79E93263E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.314{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_plink_usage.yml.tmpMD5=5E8FFE6E6F3C62101A1750CCCECB988B,SHA256=B80746D9BCE7D1DDD494D0F7B250F4D502CB7C2EAEFDC4C468303271DDEF76FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.312{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsupport.yml.tmpMD5=20A5A3B1FD502E3068235D172E10A409,SHA256=B745179F98DC83A782D975569E97F5747460CE85448F6E704DE52CDA12187A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.310{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_hidden_b64_cmd.yml.tmpMD5=75D5FF8547B97B767B42A1D682ACF45E,SHA256=3AEFC02D702E977823A28B59F60BE08D6A5BF68E573B8580B1E6FBD8490790C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.307{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_reverse_shell_connection.yml.tmpMD5=C3B82EB1C490064B62A09AC331301EDB,SHA256=9CE0F44454F70AF05F505E5BD0A4D10DD35EF54C7AE0F1297F3E0B2950CA3DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.305{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_parent.yml.tmpMD5=72A43DDAEAF93B5354708F98F4046220,SHA256=EDEAF0B3A87F49037556660AECE789FD1C6B21BCDD48ABFB1C2205F930287744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.303{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_winrm_awl_bypass.yml.tmpMD5=8F0FC6D3D22D8C320190BFA6E012E53F,SHA256=960D46802CD07FCBD62E1B896E8DF8D1E0F8ADBEFFC6E371F58F80A70D623276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.300{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_scriptrunner.yml.tmpMD5=4A2CA861EE5BE78998C1528EF44E8C7D,SHA256=4540B138B0661AF608D974EFC077BF2470A8408239AAA0EF77A735C1B918DB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.297{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_script_exec_from_temp.yml.tmpMD5=D9413E34EE7FA30C48A1CB4FE82EA18D,SHA256=011313253F66AE2949A10F632B869D9989A3D4150ACA1D6FC29B6EB43AF70688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.290{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_idiagnostic_profile.yml.tmpMD5=5306A95AC56344CC97CC7502765E98DA,SHA256=1222E3B6E0D9C7F7C24AC1599E74A1382876BDD0FD1CD11FACC65F5CC560859B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.284{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_extrac32.yml.tmpMD5=25A10B6D4437D5B48C8CB0EDEAD72BE9,SHA256=9E4286828A141873B26AF9A1281C4BA88EDC47F4B9AD325B967160D03089F578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.282{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_reg_bitlocker.yml.tmpMD5=B7BBB9478B1214B1ED5F902BC8ADF3F1,SHA256=93D81F3E28756EF369E60716FB80B3F0DC1B58611FBBF88058CA614965C60C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.279{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_csexec.yml.tmpMD5=07C7921BABB306325DC9B322E0B63CFD,SHA256=1A57C0A7A2DB585F32BB7715ED67F138D926FE8548D5254630DADF86A405C316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.276{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml.tmpMD5=79FFBC36CA718543D5ACAD9FDB682B66,SHA256=D6C322DC360E9A486F6D16EC56FEE04A324F4FFDCB99FB15EC748A97BEEA31D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.275{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_download_iex.yml.tmpMD5=4EB5F61B6504EC63665A5AB5394987CB,SHA256=5A0BF7DC6E299E46F0682A42D8BD3BDD88CA20AC17456B04979F9C6417E9A197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.269{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msdt.yml.tmpMD5=07477538A63CC73FCFB8F498FE9E1E6B,SHA256=6E7AD38F7A65DED97E6679F70A5ED936D01E670C3E21D824EE1C0EFC273031D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.267{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_regedit_import_keys.yml.tmpMD5=5C91472C394F8757E60E5E7334E4F79E,SHA256=184935A646BE1418983C185D1835E39FC785D42E3C5743B67CDC19D69014F87C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.265{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_c3_load_by_rundll32.yml.tmpMD5=FACB47E87789A5801FDFA183A10E6523,SHA256=FF148D45512C9BB76165530AFD3D01F29D7A3E2999DCE327E674FF01CF76207D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.264{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_gpscript.yml.tmpMD5=A414B35E33D52230D6B893F0798850AE,SHA256=CC0479929D4A11266317B2D197EBB79A15DCE64803D211CDAC17854ADE6D67DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.262{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_invoke_webrequest_download.yml.tmpMD5=2D474D21009E0269E6B538EC0E0F8580,SHA256=722CF26740B419E4D673578148BF4972CB0DC39E5A4D86A4D3E5142C76F0A506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.260{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_dragonfly.yml.tmpMD5=3F7A8D2945DF1BD38F86EE89842753EF,SHA256=F8E0B5B49C7906A6087ED0EDB53A8D515C031E5FD3DF8131C5DA84DE17FAFD05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000841311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.259{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-241F-6387-9502-000000009802}3300C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000841310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.253{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dsacls_password_spray.yml.tmpMD5=1F4D94C05D125730784AA86DED99198B,SHA256=98934A28A3DCB2726B500879C7569883ECE42AED4E059E322F993E80BC9D5C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.251{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bitsadmin_download_susp_domain.yml.tmpMD5=A35758A5F6EC92A851375BB3D67CDF2E,SHA256=D683F347AAB12E900D320592B79511F7FF2A561C723E5A5C8EEF820774094E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.250{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--process_access_win_shellcode_inject_msf_empire.yml.tmpMD5=1C9BD275EF6122610F888297BA1D6AEC,SHA256=9A0F11ACB343578865CD07481DAE2C61B1FACE729B09AC402C90D0DD7B6B4BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.248{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_handlekatz_lsass_access.yml.tmpMD5=4B51180ABA5C916ABC771A501D0E893D,SHA256=FB4B73304EF5B81CC07CD507B2FEF579150E504862C023A8487A4DA0E3EF6ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.246{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_lsass_memdump_evasion.yml.tmpMD5=41FDA94D7C09902D2344CED30478DDD4,SHA256=8DBA2C42640B670688E70C9278D6938964F04E886E2D544682DF9AC23476FED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.245{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_lsass_werfault.yml.tmpMD5=E0B6C77BC49D65E112B388BC5A8CC8F5,SHA256=8F8D3DFA0601666FC720AD1370E52E42AEA56A0486A71B3D76F264EF181C4827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.243{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_rare_proc_access_lsass.yml.tmpMD5=C2C5FF627227EE3A7FD3E37BE622A632,SHA256=B488DB0B824A75EFEA28C1CAE958EFA317EB79207C9959124AEE91C88075033E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.241{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_susp_proc_access_lsass_susp_source.yml.tmpMD5=57028C20100B295C18501D86FBBC9BB2,SHA256=B63322FCF88FFA01AD4B002286605923DE73C36866AFF4A8C41BF2B05533ACA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.237{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_direct_syscall_ntopenprocess.yml.tmpMD5=23357328DF0B81ECAE4927DD2F445654,SHA256=DBBE4A94A30340838EA1B2DDA86E51C3FEFD97CC27F2497DE9561422EF01BFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.236{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_pypykatz_cred_dump_lsass_access.yml.tmpMD5=F8CFE479C375519912BE63964DC0AD64,SHA256=311AADB4E6801264923AF16851D88865E2806E6B89B67A407216CD770121B8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.234{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_lsass_memdump.yml.tmpMD5=FB0D656D8E09D08EF986AA4085BA8198,SHA256=50CA708721C9ED4DE457EBCD0490D2CB9FCC5F00E0D054AB1AA3B0CD5E5178FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.233{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_hack_sysmonente.yml.tmpMD5=69EF96474FBB057F509F527E50B84E64,SHA256=61D98C6E0A18F02A1549C280489F60F8BF949710630A96A1103860D62988A1DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.231{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_cmstp_execution_by_access.yml.tmpMD5=1ED73419A9A8C4C8C54ECB57E0C9269B,SHA256=3F3DBA639316FF042342B3B2D7986AC5AAB9C3FFB83AE6D774F9AAC7D92FB127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.227{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_load_undocumented_autoelevated_com_interface.yml.tmpMD5=9C27255F8C1E9CA70ADA3899EC1E3467,SHA256=1051D3CAAD5099D3189A58366D8600D19A5418773F978637FF31FE47A689161E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.224{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_lsass_memdump_indicators.yml.tmpMD5=9716612C0FC7208A2B8A13FF5892ABDA,SHA256=BD65F7E83329E0672FA2CC1B5222A36583C949716D6F48EC586D274FFED115CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.221{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_littlecorporal_generated_maldoc.yml.tmpMD5=52975003C68BEA50749E67B3DBA900D1,SHA256=D3373AAEF9238EE4BF2441F4D64F4F97CF23369F2C5DC05E44108667E0769B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.220{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_cobaltstrike_bof_injection_pattern.yml.tmpMD5=BD3A5EABE334C78C960F28CFFA5086DE,SHA256=7224E4DA404456000AA3E139F31B3F9A1E368B29496A6F9BEC7E043CFFFF5F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.218{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_cred_dump_lsass_access.yml.tmpMD5=CCEC0C15321DE1A74DCA1A160AC96371,SHA256=E63AE54EB1013F37140882C2B238285B598FDFE2B238C3C2A41E1DACABF1D9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.216{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_lazagne_cred_dump_lsass_access.yml.tmpMD5=1C2739FC1A44790B93F65DD369C7FAD7,SHA256=8CF7172F9B30BF4A6C2FD6D5D3F46684751A515F9AC6E6B90F03AAE46A6286A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.214{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_invoke_phantom.yml.tmpMD5=EF34D0652EEB0AB50B058D89CFC8D620,SHA256=B8BC9159F94CF36DE471AB02B4143B4A26AB688E1880634BF947C320D8A2310D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.210{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_mimikatz_trough_winrm.yml.tmpMD5=B22A9BE9D94A6867638D2588B9D09F6E,SHA256=AC8CC8832FBE5B04DA98A3715CF951E0AFDD615ACA34478EA02E274C9F34DA83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.208{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_susp_proc_access_lsass.yml.tmpMD5=022DDA841E192D91C2940FB204B4F71C,SHA256=D97D298BD6CEF174B22D21504E499040FAD6B675C049D987E571F6D4062E8821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.204{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_lsass_dump_comsvcs_dll.yml.tmpMD5=F770EE5A2DB57F39AF0B4C9F0EDE2802,SHA256=540B089537DA3A959AD1B695BA8EC79A732216389C85302B611FC00BF99DBC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.200{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_malware_verclsid_shellcode.yml.tmpMD5=7BC4F6E1EF48F4C04A03361C1A0724E0,SHA256=D9CEA2E53FEE5474119D75AFEF80D26D964500528C932732D12C27B8C38DC348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.196{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_svchost_cred_dump.yml.tmpMD5=F0F53AEBCE931A124E3E985C2CFFAF0A,SHA256=AE72853408E7E0011C0361AFF61B9779F2073ABD98960AAE0DC0C3B043CAA986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.193{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--process_access_win_susp_seclogon.yml.tmpMD5=51C7FCEA842D2B4CE9EB4E55E519DCD4,SHA256=A9D78120033DAF47C6897C747E2A0942384743944987230834F5931C00DD22BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.190{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_access\orig--proc_access_win_uac_bypass_wow64_logger.yml.tmpMD5=FE7527854DDF5C71A84C639453232A76,SHA256=794F9678BB98159F1218FA30FE9D2AFA0E142BBCAB0F39F323BE7C6B623F356A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000841283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.190{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-241F-6387-9502-000000009802}3300C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000841282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.190{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-241F-6387-9502-000000009802}3300C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+4158d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000841281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.183{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_uipromptforcreds_dlls.yml.tmpMD5=7F814D5498F5C9B6DC3F545DFB632749,SHA256=F04311EF8B38701E14266AE4B53F1F52B6AF30B5F0C5BC1F68F24D93BB992F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.182{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_advapi32_dll.yml.tmpMD5=36513194268EA19B5BAD54042E2182EC,SHA256=DA1FCFA5B399004188899A9274D4F509B1550B0114C8F87B50FE290C02AA892F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.179{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_fax_dll.yml.tmpMD5=E8A4F033EB7366D9E35B5CAB69E7A609,SHA256=EE98319B37CC8FAEF1B84B8D3BCE844F7FCC412EB53EEA2D01D4586B61C19D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.178{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_uncommon_image_load.yml.tmpMD5=709FA7C9D45B05B634CFCD39670146A9,SHA256=4E4D8263D8B438AE37164C9B17DB7D2CD0CB0AD98F13FC7D07B1B3A0EA67B91E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.177{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_silenttrinity_stage_use.yml.tmpMD5=C753569415D655744184D3498D5F4F8B,SHA256=A90AB884CF6F5D4D20063B0CDDDF5200D7AAA9D9C99ACB2CEDB17FC6069E4EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.175{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_side_load_dbghelp_dll.yml.tmpMD5=FFBD9976773599C516E0E61B8CE4DB68,SHA256=910954E8F2DABA2C60E2623A7A2F8B9AC2CBA450BD70CC548F0DD42BB80139AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.173{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_msdt_sdiageng.yml.tmpMD5=088A95C1D1EB254416DD440CD43F4254,SHA256=3969C252D5963557225F4D9F778A335F32201AF125D729392E6068FD1F40FA97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.173{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_in_memory_powershell.yml.tmpMD5=E5D08A469CA9ED3F3EA35934B6C65303,SHA256=7342E1B2C72348CF0BCBBE6F8D150B7DD9B699D8F3F4A93269B879CF8EBC1624,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000841273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:27.471{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53831- 23542300x8000000000000000841272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.172{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_sysmon_disable_sharpevtmute.yml.tmpMD5=A4DBEA697A7C7EFB6BC32150D8E5D47C,SHA256=1F3064FDBCFCB61FBAAE25B08F09A83F48CF799ABB755297C61ED7BDEC4EC365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.170{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_mimikatz_inmemory_detection.yml.tmpMD5=233AB5523088034728E30EBDD496CD42,SHA256=95662F8A24DE4E9A3DFF9349CA4491BD509886909F775A79CC5D82DFE46A816E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.168{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_winword_vbadll_load.yml.tmpMD5=0FD81C934A764F7ECBF56E12AE5AF31D,SHA256=BF804BCC833A5677DDF445CAF2BC922A67856ABB4F1ADCEF5CAB526B20C10179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.167{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_vss_ps_load.yml.tmpMD5=D4486003FFA16E05509EBB86ED9E22C6,SHA256=C219325E645ECC9A6127325CA4B066A2C101A6374C04A4C5DAFA6867B7400A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.164{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_script_dotnet_clr_dll_load.yml.tmpMD5=415B2F79B58F2ABD245F5C3E2955DA76,SHA256=37BF05C6DCDF4F15902AED69057A3B55EFBEB51A9FA664303081BB48490BE867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.162{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_vss_dll_load.yml.tmpMD5=B945DD5EF0898CCA19DDECFEEAF30E53,SHA256=4C6129C35F5EEA6E102588DEADA2E0A2C954A43C99CEA305DC11D793A2D76792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.161{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_side_load_antivirus.yml.tmpMD5=E2FB0CA5D12F6EFECC4226E428588050,SHA256=6219F55DA2F0BA6A3EDE913107841D19859BA7A9B65CAAA69A6472B061B0D8A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.160{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_side_load_office_dlls.yml.tmpMD5=65ECCB07F8E0F5DD45D2CA7159FF8996,SHA256=1544855C90D38A08E6F5726512E6AAF705D356F6BADA2DE81D47BDF9FCC50053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.158{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_pingback_backdoor.yml.tmpMD5=BD48D979A86D0E8140533469DAC56978,SHA256=B631D5FA684177EAB506BD1C721A0BE249AEC53B6911200DFC63AFC06114A1C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.157{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_scrcons_imageload_wmi_scripteventconsumer.yml.tmpMD5=2712A4C75DD5A677ADF3AD6501F9AE14,SHA256=59635263F7C76887032727E6ACA81C244C63D99869934CD6B74F54737F34E5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.155{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_wsman_provider_image_load.yml.tmpMD5=307FE959E063B1B95CC014526D18F9B4,SHA256=446F1E4B10B34D03CFC5A29B828AF625BF19F1476BA682B175CB10B3C3425C6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.153{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_wmi_persistence_commandline_event_consumer.yml.tmpMD5=336D25E0F7447A410DFF344A8FB42538,SHA256=5B14DF20878F7AEB6CA1DC5AEFCC4A390233F0584E8E1A576628CADEBB6BF3AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.151{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_office_kerberos_dll_load.yml.tmpMD5=D22297FC87ED5798A16CA13ED5850913,SHA256=18E3992ED544FAE1453DAB095F77820D50A1027A5C806CE12A39D220D754FB2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.149{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_dll_load_system_process.yml.tmpMD5=305B95F117050D785F9D571240D79FB7,SHA256=8250B8038A9455625761C9BE649EC27249A71B62842DC31C3ABDB62C648880BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.142{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_system_drawing_load.yml.tmpMD5=D7FF603BD1DF91B8642B9BB530066ADC,SHA256=400CECE091C0D94D37853606323BDB690DE15D89C6BA51A0D2B555A0AB7D27B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.142{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331BF9C53C79FEE190FC441404D7EAFD,SHA256=50062F7414DAF7F5836F865DE4A0D4202D019503CC28F4130DCC08CB67180EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.139{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_side_load_web_browsers.yml.tmpMD5=2B31C3B6D91B7BDA6C95D924028EC535,SHA256=ED980C272E3F7963BE84DEA4DE9F8FD41B5304377F27C746D2B8F7D4EE2D313C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.134{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_wmiprvse_wbemcomn_dll_hijack.yml.tmpMD5=CFD5FE24618FF4EC19C62310C11373B3,SHA256=20239A1EE8AAA7891937B3F74EDF5957D6354DF9AE5566BE3D51A29F1F604A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.132{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_foggyweb_nobelium.yml.tmpMD5=89664C96494115B5EBF3401DD429DDE5,SHA256=1FE0B834609F42EA4DD51442DB097E4AE32AFADE962551763E3B44FBDC9F7B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.129{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_spoolsv_dll_load.yml.tmpMD5=CAB84450A5D99696C653BD5BECEFE85C,SHA256=2C65DE57EEE518120AA2C3C1449DBBFCE2460907C5B59D8944BB2B5371278378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.122{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_side_load_third_party.yml.tmpMD5=2FF0F2E0F22AEC24FF7BB3AE1C9184C9,SHA256=165978D71845C55ED728FF162041A36C30E2CE9B19743CCA0BF8E25F382EC0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.078{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_office_dotnet_gac_dll_load.yml.tmpMD5=D1FF5247190C761A6D6FE5C1E112E967,SHA256=97F92EEBA04F858167FFCB66692871656B3B75C4E071A5D1D826955295DDC9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.076{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_dbghelp_dbgcore_load.yml.tmpMD5=7ABC3C35CBEDF8F12438E33C72F98B1E,SHA256=C4D41BA86E914A0D159DDB8467BB17586454D97A7EA370C99BAA1AB00053F142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.075{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_rundll32_loading_renamed_comsvcs.yml.tmpMD5=4820342A10285236B89269807FAFB417,SHA256=2310C7032EF392ABFECFF7D0DAB30F8F9904A97DB8EF6C65973FF46D69975FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.073{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_uac_bypass_iscsicpl.yml.tmpMD5=599C678396EBD3361562A70120127E33,SHA256=DBEBF94BA5C8A93361F6261973F2ED7FDC4DC5BC13984BAA049C2194932C2EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.071{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_wmi_module_load.yml.tmpMD5=09581BA463783B21AC2BB2BBACD7F4A6,SHA256=F655A9C58284A1676E41059423019322E3A0C2805CAD3EFB0BE5A396100E382E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.071{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_uac_bypass_via_dism.yml.tmpMD5=335617205159E630E6E08C2F4515CCC8,SHA256=C3E77DC50B99497DA938B0101625B8F4B3F88FBDC120A2EFC0802415FBFE227A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.068{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_vmware_xfer_load_dll_from_nondefault_path.yml.tmpMD5=C8A1BB7A96558CA8ECA6D4B5661EDA92,SHA256=480FC0582174E70E8A6359AB31B44FB9E305B1B64F9C8D38DB06B11ED3691DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.068{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_side_load_dbgcore_dll.yml.tmpMD5=822954431EE3B6474730DCF32CA013E9,SHA256=5001E0B3FFDC5E3106DDDF968F72C839988345214010106928EB03512D4D46B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.064{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_tttracer_mod_load.yml.tmpMD5=2E34F29F32B1B971FB0F577905761ACC,SHA256=F6B443E6627E7CBBB0D9EB3616CE164C855F289F524F93654FC105B7DCABE07D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.062{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_office_dotnet_clr_dll_load.yml.tmpMD5=DA0652C03B1A4E7637615BB33C47161B,SHA256=AA71DC982122808D6F748E1A66FC90E55F822899390E2BCCC64C6424AE5698ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.060{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_alternate_powershell_hosts_moduleload.yml.tmpMD5=841B9F06B85D44A6882ACAF0B3DE52FB,SHA256=320AFD3D53F859335EF39A48C4989CD5438E01EC307653893F21BB4B9770CDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.059{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_side_load_from_non_system_location.yml.tmpMD5=05349D0D0FAA5C67B134D19459F0ECF9,SHA256=A4AD7A69A5E680B00730FBA71B7D24CDF1B06A59A14114EBE730D39F1DAA5A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.057{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_python_image_load.yml.tmpMD5=73A1C260E4CF7C0DC21BF886EEEB7F04,SHA256=9BD730BA1F36CF9EA16A3012CBDB81ACE4A845002718EA7F5ACCA60F04A87B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.056{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_wmic_remote_xsl_scripting_dlls.yml.tmpMD5=2FCC0B01E370D7DAC5F9F6A96E893CFF,SHA256=2EFDCA05293FF1828DCA5E9919FB5EE175D0C2AE334E870FDE7466A69F0B3310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.053{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_defender_load_dll_from_nondefault_path.yml.tmpMD5=0DC5ADA20909D32C02C81EE4A86DC885,SHA256=081F70490AA5C3BC95BCAFCAE462E2DA33F5C317591E52EF431C4783C7451DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.051{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_office_dotnet_assembly_dll_load.yml.tmpMD5=C694578795F05A83A3507EE367C6002F,SHA256=74CD5AAFD2B5B3CF53DEB58E007DDF7F828061E51251B94FB4BBF8ED36177080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.050{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_pcre_net_load.yml.tmpMD5=B74D29AAE8AE9B83410DC0BF70553C08,SHA256=5E148C0441EBEFE28C73871687B35C355F6A25EB26772450FDAA2B568E60E6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.049{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_abusing_azure_browser_sso.yml.tmpMD5=FB8436895D24800585BB11F1FA8CDE5A,SHA256=7F4D11BFBB651573195B2735A8497B4B46196772E7E5494AF649A0873F462984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.046{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_cmstp.yml.tmpMD5=D386E7FCA68BF16714259C7DB7FB0254,SHA256=F30543F99BF9C06503E47F0CF347135AD53B88B91A1C8A51BDFCA742A5E5EF6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.045{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_susp_office_dsparse_dll_load.yml.tmpMD5=F4A762C65EC2574E155656D9B70EE1BA,SHA256=7B298E0D2D34E99F12074F27157F852DF748A486DFCD7DD5BC8812518369BB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.043{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_usp_svchost_clfsw32.yml.tmpMD5=E41C8AF7CBE8411A2BA7922A185037F9,SHA256=2324062213F5FDE4A3B94A2AB23D653C89B74A8982CB5D05C843E312FC783606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.043{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_svchost_dll_search_order_hijack.yml.tmpMD5=44A4E5E97FD67CB2C59F8CCF4C4B1716,SHA256=D495A4992792B0024F5935B32FDF7F1D80A475181929E2EB01337813D356E985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.042{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\image_load\orig--image_load_unsigned_image_loaded_into_lsass.yml.tmpMD5=9CA578BF88B562EB8DE0F37C8BC61B2E,SHA256=351ADA065C8CE6D005446F2E287595AED298FD862C9940B7F0572DD88F71A07C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.040{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\raw_access_thread\orig--raw_access_thread_disk_access_using_illegitimate_tools.yml.tmpMD5=28F6A19372770EA5CE7E7461792FE0AA,SHA256=2DC59BAA3702A1514AEF162F0B2895F64BCCB8CF15ED16F6D573DC55C290D6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.039{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\orig--sigrev.tmpMD5=B90BB20C1852F6D47EDE75B829D35AB4,SHA256=74C51AEE9620B40766E6846B38114ED95F077FB2DCC88B72CF7829A18794EA0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.037{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\orig--changes.log.tmpMD5=838487C9A99FC4852040D754B7DC7DCB,SHA256=6059F5D6277DABEE567229BE22BCA6E97AC9DB8AACFBE1272D9AFBB8FEF760E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.025{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\orig--sigma-rules.sigs.tmpMD5=D7DFCB6C5964E266DCDAF5EF4A8D2634,SHA256=D5EA32A9C80A723F1EF9A04068D36010251103C355A1EDE11E50B34FCCCA0FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.024{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\iocs\orig--c2-iocs.dat.tmpMD5=E5ED2025CA5CBA7F7ECA77341ED45950,SHA256=1BEF9BB6A683B9E7357C64A4119292A5CB107E755F1844A9A13BB724F2F5D2CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.022{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\iocs\orig--keywords.dat.tmpMD5=7E7EFCC5C9462EFF1F3BB391E3765862,SHA256=7C741FBD9C3DE988A34205FC91E43BEF257893CB1E5EC917CC4D1D7F2635B9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.021{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\iocs\orig--filename-iocs.dat.tmpMD5=75D68B78169F80FE0653614756455B65,SHA256=5E5B2D115863B2A03836F993B7EEFD3EB8A9D8BBA4563984FEE4B94C34F1D392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.013{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\iocs\orig--otx-hash-iocs.dat.tmpMD5=702EBA7F6B99DE3FD9AFC3006667F72D,SHA256=D14EA1DA069A3A5CD34690C5EE5D84CF0558300742414BD5407AC10D42F8B800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:31.001{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\iocs\orig--hash-iocs.dat.tmpMD5=3B729AFB9CA372AF60642BEC643EEBA2,SHA256=EE73AFB3A16743DB24E69C6334AD275F2BE1BBFB910802E3C421DE2A6893F71A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:32.033{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2916C6F52896AB039234A407E6A6BD,SHA256=56CD02606F115237319FBE6B9221142632DFA5B3C99D12BDA1ADD4B4641D959A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.998{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_pypykatz.yml.tmpMD5=754B487E5ADEDCBE109EC8899E07B75F,SHA256=692FECE5A50C9416A8984A1DE6A4E6C6FD970396CEE0C01C98C692C51B8812BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.996{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_bginfo.yml.tmpMD5=BDA9E7667958E0AA89BDD21B0644207B,SHA256=F875E0871F456020511009A9A37E8BCE0E2ED0E438DC20B6259F8D92EAA32295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.995{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_certoc_execution.yml.tmpMD5=316A46BD2587F86D6F9E1BCF64DD2A84,SHA256=6DB90BB0A92E6F8542F9EF4A478DAD20C0AA8D6DB7F56F6D574502F23BD10EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.993{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_trust_discovery.yml.tmpMD5=62CA6069C0DCDC26249F512C472D387E,SHA256=39E8C02B5F9559659B4F4BDA4F94C7237253B04BFEF1E55A39EC05C047ACD2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.992{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_nslookup_poweshell_download.yml.tmpMD5=573BF3580278DFF0DDEFB16CDF50CACC,SHA256=92B25BBAE75A62D717C85E7A19751FF16BB5AD613C9B9110139BD6B9EB0A0EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.991{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_winrar_dmp.yml.tmpMD5=AC25C6E8E8218353A1AF8E8F05379400,SHA256=40955545CF9CFC5362064C8885B451C3CE1297CAF358A8E7DB7E33752C0879F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.990{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_regasm.yml.tmpMD5=D63A6B2A577A2F0722E8DF849594960F,SHA256=11BB5B5B7AEB0A83218D1C8C578102C5EEC7D947C70A6E022045FA7935A993AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.989{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_webshell_recon_detection.yml.tmpMD5=59F5D4A85F8AC4CA0B11A7A645765F1F,SHA256=C44A9D9520365D0ACFB8246C406DE08C8A049361FA629A21A9A29BFBABE8C286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.987{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powercfg.yml.tmpMD5=C8696AFD2D572598CD7458E063AE418E,SHA256=792FC6872C75A246AE5B6797EDF3495F55DCFA391A129132C25C6B0F384FFFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.986{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_change_default_file_association.yml.tmpMD5=403A0EA4FE2C619949610DF470BD2C60,SHA256=A5C57F6E6549E52599B5295475A853ADA10B8CC6EF2CB78B0CCCC39D1EADA2DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.986{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_rpcss_anomalies.yml.tmpMD5=1B1E4E292A2779DA2909E75BBC5C23B2,SHA256=4BDAA0011499376BFB4546EDFA39E6D946A150B1A4AC5FFD09BC4EC9C5BEE31F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.984{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_gamaredon_ultravnc.yml.tmpMD5=C2559466A564B01CD556ADC2E089BF6B,SHA256=F9D8864BC17B38E1C5D6AEB9F0E4FF9BB9792074BA8A4D15AD1A3421179EFEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.983{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hktl_createminidump.yml.tmpMD5=9F0C4A846028E4FF41E6CC258D2B0274,SHA256=0E54AEA22E6EEA8568BC119E48BC6F0870751317E26C36CE71AB6A41F82125BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.982{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_eventvwr.yml.tmpMD5=5A3731C2B6CE0488AF30868942177539,SHA256=E9E73B57873B9A163780DC61DB182ED93D6F6E56E6A09DD0DF0EBBE225124B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.979{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msedge_minimized_download.yml.tmpMD5=9B055A21D0830779A4CEE24E2662E6DE,SHA256=B3D028CC689B4D8EB390C4CC54BA91E44C6F271D1C8DBDE70C0AC0399D6DFCC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.979{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_mshta_pattern.yml.tmpMD5=ABFA30F45744BF09A5AED4FB965BC5C0,SHA256=417EAB320D53A2B19037F3D0673809AFA82607B85ACD243AAA4A1AD622B05B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.979{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_sofacy.yml.tmpMD5=BE4C7602F34D2FBD5B80A8D4E03A0B47,SHA256=B17A9E2A934E4CF97DA358B7BB57BA4CA12D2571AD4E7B9A5558EECFF4ACAA11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.977{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_persistence_typed_paths.yml.tmpMD5=B8C51AA4B1D9A68F742906D8470E2585,SHA256=5023B15346F74C33553763AA8277089F72077922BD6BF426A8698E85FD4A0677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.975{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_new_kernel_driver_via_sc.yml.tmpMD5=749E711DE22EEDA2BE656FFFD2004067,SHA256=0F834C9BD99A896D5DF9E1E51E690BE5A06AC883394BED0B71D95143F5E18F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.973{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_termserv_proc_spawn.yml.tmpMD5=8F0516D3630CB04E82BD9CCF38BDAB58,SHA256=A1534C2E5322B52C174CD015F94057EFCD4D20490B0E2DCB39EB0641C263E0E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.971{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2017_8759.yml.tmpMD5=7E63456C8BC369A87088FEF6964FA1EF,SHA256=ECB3BC73AAF6D71642CFF825C1CD0E85B15A6E3534083896096FF70EE09B314B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.969{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_unc2452_ps.yml.tmpMD5=E48FD9708C34A74F27DAB71B3B781E41,SHA256=1E3A355EAF1CA4CA2206115B80DD12E6EB8691864EDCD642AB42E6F867212D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.968{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_findstr_recon_everyone.yml.tmpMD5=55AD84C368D3DDF5354BE55B236A371B,SHA256=3B3ABC816BCD7104DCEE48367EDC582F5B76D0CD07B78311B7C1F8178D728C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.966{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_attrib_hiding_files.yml.tmpMD5=2A68E765C3FCCFFF8E13D27CE3014A4C,SHA256=C388CB93FA89C57116C78673DEE8DD6988EA82FE25D0D9F2715D14D1B955AF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.966{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dll_sideload_vmware_xfer.yml.tmpMD5=938DD24B0B190AB42D9635682230E2E2,SHA256=A1FCA474455A7238686CF889F2BFF5AA3A4EAEBB39E851D4A1637587EFFCDBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.964{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml.tmpMD5=94A2995E5E5FF2B54877593777A27CC4,SHA256=89D05FDBDC4E5BA851F04978F2F64C76F3F40424E403DA49EF7CB6903BABA96D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.962{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_vmtoolsd_susp_child_process.yml.tmpMD5=54BEEEF8B2788B4B8E2BAD3A5B69D050,SHA256=9E27DF6B36D96BDEF51D01BDE8E032664CD6913BAB5A4C501B249D57141F33A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.961{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_register_app.yml.tmpMD5=A40F53CACE2D70DFC55A168DE0EC784F,SHA256=168A5D2F0C99B4B2FEE2159427F61ACD86067972A6262D483C7C31A1A08B6450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.959{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_system_exe_anomaly.yml.tmpMD5=E077BB33B15DB788E0A41C327C8ECC6B,SHA256=AAE554C227080FF98F4B37F3C342BA3CBF17B49483D141E94E4B8E63306A1393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.958{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_use_of_vsjitdebugger_bin.yml.tmpMD5=6C655B66CFF219B109F7C9EE714F8E55,SHA256=17B9899F312EF102A38F06D7578ADB2D3B90DCFFF429E12473A7B65E5560868B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.957{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_commandline_path_traversal_evasion.yml.tmpMD5=C9CDEE678C73C462FAB29F2237841DF6,SHA256=DB4847958BD901C951625060A601EE4B6365D69DE8C6FB7137E72636F4E542CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.956{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_new_service_creation.yml.tmpMD5=62129C813AE2BD3036AD62C86CD861F9,SHA256=82404F3A1553D18810BA0C5636C42C869E81BFAF16AE3A17BEB92BDA037162A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.955{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_taskkill.yml.tmpMD5=5DC30B7E0C6AAE2BEC969C3CE6869102,SHA256=B0B44834A8BBEE0E786DDD2D09F012A17DB4F9ECBB66F51DE1A887AB5E552689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.954{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_unidentified_nov_18.yml.tmpMD5=0E9054548F863A2B1477B3E7B3AF082F,SHA256=9826BC4D8F1134F8A34FF97A25DA970DB138AD0BC3AA61E6BEA9F2B3780B09F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.951{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_psexesvc_start.yml.tmpMD5=E5551A2F8391E7D77DC0F43EE8A3E192,SHA256=0DF3259823F313179CC16A262C1AAFDAD023C2A6D98117810DD8DB54D80E9499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.949{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_disable_service.yml.tmpMD5=4D98D21B48890C3C68C5A545B079B77E,SHA256=8D910D830B897A24C567BB7DC545B36AAB3FFCD062B2935D863963A44BFC376A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.948{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msiexec_install_remote.yml.tmpMD5=1F9FD33622C73F82729666B2A06F6DCF,SHA256=FF7FA131889C3F25723F078F712052019CF8CEF2B1E0D1D17AE58D8D2429F22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.947{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_cmdline_special_characters.yml.tmpMD5=9B93ED4B27B19E4C67108C2241185379,SHA256=859F1D27B939F13F6B6D72672C1CEFF43C9CC506E16A3C68A0552F798D2DCA11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.946{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_rubeus.yml.tmpMD5=CD8FB949706B0408D6A1DFF8A0F1751A,SHA256=9A9BA642132473386D2E373DEE97C543C57A8FB1986FE07465DBCB59AF2A534A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.945{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml.tmpMD5=8ADEB3A19699303FCAD17701463307FA,SHA256=5FE95AC7442A30D6D61DF168556309853A2B2BB06D6354C896D2BE1E05B9D2A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.944{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_wmic_security_product_uninstall.yml.tmpMD5=88C86DDE964E08AFB921AAA405B025A8,SHA256=776A8FB6F4C609AD7646F60A7A9ABA914DA64DDF5601A7C8F931FEDFFC6FFB6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.943{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_python_pty_spawn.yml.tmpMD5=5194ADFE64F2659CD14838A967B1BDFD,SHA256=BA37EFB25550C7DAE58416F168B110955CDA513243D99767F777F71759A4AF30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.941{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_devinit_lolbin.yml.tmpMD5=5CBA527DD1C18FD48273F8548F1C4869,SHA256=0D3265E69FAE1674E8C4FBE2E5DF0F56DF7432D8F6CAD937C93413F5C80E6EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.940{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_psh_amsi_bypass_pattern_nov22.yml.tmpMD5=D8E764641AD453F91A70FA2050E501AA,SHA256=E2D01DDDB2CC3642637A6AC013BBF14E2B1BDFADA293277EFE8F781591249F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.939{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_zip_compress.yml.tmpMD5=D8D5743360A451D77C513FF2F94AF1FD,SHA256=3D6D8662697B1CC42AD59431F8AB640F719317D7C6C1962A61654B319A217507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.936{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_iss_module_install.yml.tmpMD5=0473EB19EA6A451420D0C12F2EEE35F9,SHA256=24F3DBE88538301788CDF08B2583D664EAE97C2FEC83E0423DEA79CC6126DD9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.934{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_browsercore.yml.tmpMD5=44597A5D374B3ABE66A1E0CF8009A64F,SHA256=915B8BA5901C32AEA286B680EC60F43E33EF32C4274AF9E291DBEB178F5C567A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.934{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_etw_trace_evasion.yml.tmpMD5=3A499A77F6291A1017A0344D47D31FFD,SHA256=A09BB19E6DD1EB984FF0245D9F705BDBD7075E0CDAFF54D4E72F9600564669B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.932{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_advanced_ip_scanner.yml.tmpMD5=8CA81C456FDD090B851C6E5F2AD51C53,SHA256=7132DB1E41932F921600FF1831A37059666994CF219DD3EA0929D232DECE4FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.930{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_command_flag_pattern.yml.tmpMD5=B29CC24E626D7344CC964A5BB107096F,SHA256=2E82710AA93172B5A447D223158FD9C02D731C62E5A9EE632F66430A50B05F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.929{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_curl_useragent.yml.tmpMD5=6964A804332F090C93D879953E313205,SHA256=126EC5DC20E905C90142644A1239AFE28FCB4E3917047D5E446B2ACCBA6A0205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.928{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmd_read_contents.yml.tmpMD5=F3CC2C77483300AA8F91970689C9D3E8,SHA256=B7E0EA6617F9A7A26679B22810FAFB45EA30198E15B6A4BBC9ACFBD9ACF7C9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.926{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_winpeas_tool.yml.tmpMD5=58C31615AC1355CB4C904F6C239626E7,SHA256=6D445CD3C0418B6C88851B724BC0449B5D8F88B69AFF7CCCEDC179F62E2394B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.925{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_recon_network_activity.yml.tmpMD5=4296243A7EB5B0513A272B8433BC6057,SHA256=034E4C6F20DE381DAB3CE45B03B89E53EED0ED42B89AEC39761C8521108D84E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.924{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_schtasks_once_0000.yml.tmpMD5=664F11219DB015E14D9C0063A91DA4DF,SHA256=418394C1E5DAF74C77205612B26DA555E869375E1D7717AB12884C404CB00D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.922{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_dump_sam.yml.tmpMD5=549E88A631A225BFEFEBE7D35EF792FC,SHA256=811E333E33792C0B097F966C02084BE6694F1E739948BDCD3EF1189C690422A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.922{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml.tmpMD5=DEA3A9D25C48437BE71906A2140E5794,SHA256=CE46BCE88EF5797A364F4FBAE2C08EF65A3E0663CBA05414FEA2A9D4502601F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.921{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmi_backdoor_exchange_transport_agent.yml.tmpMD5=1C5CE1456AD4DD4CDB7E2F267A4F95B8,SHA256=93027136A02540911BFB4885E74185D36BEE894B998CEAC2C4D180CC67B81D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.921{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_webclient_casing.yml.tmpMD5=053C6C194C589BE2BEA86B94D4433B8B,SHA256=637959EAF8D2911D39B7CDC567D10F6CD07A7AF392DB3BFCF3794C78869CFE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.919{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_iis_module_registration.yml.tmpMD5=AC84861205B0CF48C4BCABF0D53D2B9B,SHA256=AA5A8BA635E337C9041D0E7BE60C8FE084D3CCCA63F3EB85B9061E777631D196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.918{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_nmap.yml.tmpMD5=79D349ABDCAC29AF9AD6032ADB5ED7E4,SHA256=237720A63B16C2B98F37AA5D034A04D7F678AAF1A1BA21BCDC3C3F77F82B60B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.916{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_rundll32_dllregisterserver.yml.tmpMD5=D213DCC6B415BDFA42C8C863FAEFCF17,SHA256=D2659A4E1A32946F08D27CFCA7057434E1D8263F5F86405185BCB7BC8C4F56B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.914{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_certutil_command.yml.tmpMD5=E3CF24BAB7737932DC834477A098057F,SHA256=2D647A760CB91BDCC4ABD0B3E720A9D1895594D09F51908B2962C96F991C5BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.913{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_lazarus_activity_apr21.yml.tmpMD5=F829E8D936E33FF9519A763B72258FAF,SHA256=F1E9C0C3F03FAF0B7213C348A50C0728255B25DD8ACF744EBB9A399E9C1B40F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.912{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_cmdline_convertto_securestring.yml.tmpMD5=36067975E3548323CEFEAB9E589FD9BA,SHA256=FA237E11DD81929A974A4E7DE800A0D495CDFF7D3D8D73F87ACB581F6252684E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.912{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_visualuiaverifynative.yml.tmpMD5=0B327E27C8DFE574B9200EC21A9719EF,SHA256=83E99E8AB27EB2FF6E09CF6BE4454A1A53D02D9AD100C4D0AD53BFD6D69514E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.909{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_encode.yml.tmpMD5=2EC820084E90392F8D5653AE68D2EF48,SHA256=1E54BDAB14BD22F028AD04B5F630B075B0DD2ABCC3D7CCB0BA2E9858F4701F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.909{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mstsc.yml.tmpMD5=926CE0BD370AED4E2352337F4BB3830B,SHA256=29643DF264AF19350A968F68CA518E45FC14052CC1D7736DB70B95BEA18201B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.907{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_protocolhandler_susp_file.yml.tmpMD5=B3F767C9136C34C63F262D30C394E0F7,SHA256=CFA921BB2E32D26337950390DF6BDED304B6DD23DB71D48A92F6857356A5379E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.906{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_msiexec_cwd.yml.tmpMD5=65CCFE9E8740555F6680943BC7327554,SHA256=0ECC3FF00650EE59D4F740286001FCCFB11226E354E59F54CBDB6118B9C16340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.905{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bitsadmin_download_susp_targetfolder.yml.tmpMD5=0D6AC879847F3F7BDA9D4FE2B133A0AE,SHA256=FEB9F444115D32F024DCF98A38A4C7190E5BD7DAD4D650CC241DB947E49D64E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.903{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_email_exfil_via_powershell.yml.tmpMD5=C9FDD3A268B74B1C18867994A8E93D0C,SHA256=75F18D17A7E261F6DF6BB2E9053D5E9E1ECBC2CC709B1B6AE82F35492BB2CC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.901{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_stickykey_like_backdoor.yml.tmpMD5=CEDF63DFC29BE977CE8F9F34058E18F1,SHA256=B431B077872E216A48582DFC96E510F97F573CCD1ACB3FB1A07D6FB28200615B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.901{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msdt_diagcab.yml.tmpMD5=596317E391D448EC7F4CC3B0AC29790B,SHA256=29FFEC1A96A4B0C592580EDB829D4219AF254B12ED08DD3F1F8263DDE10FA75C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.899{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_extrac32_ads.yml.tmpMD5=34F66A35719E6D68064A12CE248BA966,SHA256=A07DD80CED9EB9A6D771C49C2CC4D107EC9D72DC3FBF781D182F53E64AA6E25A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.897{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_copy_system32.yml.tmpMD5=F6B0E1362891E09AB9D9618C7B6665FA,SHA256=96211668A756A4F5CF570DEA479D7C87A4AEE36F19E2C576AC9FA1581C357DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.896{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_emotet_rundll32_execution.yml.tmpMD5=9231E54F8FB5C6F405574197F1E4B708,SHA256=A52F68CCBC618E14ACE3B188833F7A5E63D9473E88E2B0803428DDB11AE91574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.894{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cobaltstrike_bloopers_cmd.yml.tmpMD5=FFD15608CA6A5FD37204188C1A78F742,SHA256=094B86364E7B71B97BDDFCA7AA93965E36511082C3C69057A8EDD922D20C939B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.893{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_archiver_iso_phishing.yml.tmpMD5=4AD88DD4551E5B32252CFD5BA1872A5F,SHA256=E1BA5FF86BC46C083A7D93F30F6F5DFC4ADA2D658A27012B00AF88838EC7D74C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.888{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_bootconf_mod.yml.tmpMD5=282B7B68FEFEE3565E39B3AB565825FE,SHA256=7A0BC9DDAD4C11C6F4F1AFE11A97FE7AF9925031E7E0A57DC868FD8AA28B5878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.887{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mailboxexport_share.yml.tmpMD5=C8B4ADE2D2507368808DFF0BB6729563,SHA256=3301AD2023548CB7AC679C25889C70351C6C8446DD8F2F0D010CD5AAAFF5C419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.885{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ps_appdata.yml.tmpMD5=CE3C1B78A58110B4B9A410D2E16612E7,SHA256=9F46AE02A8078F131C6F311CFA689D624031D3447729D3E95ACCED8A94A77B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.884{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_nimgrab.yml.tmpMD5=2402B40272CE3A79EA4950FC3470DDF5,SHA256=D5C607143CD8C071577B6370C0082D67ED8254A572B8B0B966ADCC19FFB11FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.883{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_encoded_param.yml.tmpMD5=A14E3A76352E462F2A6C1E89B0E1CAC6,SHA256=D00DB083C519302E542C58264AD62082F5C8E3014BE26C34F9D7FCD5C264E536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.883{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_office_spawn_exe_from_users_directory.yml.tmpMD5=DDE6DCFED5505A6D937B5A66B90B812D,SHA256=02ED76BDADF1067A2D5D00F453E66088DE2B143C7D507A9B43123E02A8DCE941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.881{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml.tmpMD5=13D7096CA00910B156B57146A9C8ED5D,SHA256=DFE8AFE0416341138CA7AE293B4DB22530B07F962E4F640239C8E3119D9870F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.879{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_cscript_vbs.yml.tmpMD5=3410B0D3A8D8765989B5E3EBAFF7354E,SHA256=ACDBF927E07245E1490E722EDC4571ED7929EA7592867ACF7144B2DCD08F6C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.877{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_msconfig_gui.yml.tmpMD5=E5B2F22F198B6D603A8D6D48086AB422,SHA256=4CCF8CE006A00267B5853B01A4F960707B2134CB597EB61EBD90484C898C3627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.876{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml.tmpMD5=E32D1088F74D2CF905AEFB09FD26248C,SHA256=97A032E64FCBB2E97E24EB2A3C48C1166186A8C1925853FEE9B72A5EC2C12C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.874{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wpbbin_persistence.yml.tmpMD5=B9283B18D8A74AD6527B6AC3F33780C6,SHA256=4278A730AAF1B1F179A800243A83AAF002596475A89D720E0234CEE41C9CCEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.873{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ntdsutil_usage.yml.tmpMD5=5AC03C98BD87AE098F01552D451DBD02,SHA256=EE473309288E7027D100AE53BA6450A61E2F630C66DE9A00F8FC040D954B74A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.871{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_control_dll_load.yml.tmpMD5=7C4BA176EC8FEFE846AF558080B3DB00,SHA256=612577CFCC2AFE4155FF81F5E98503894DA98660D91298E4D364DCF385D96740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.869{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_nps.yml.tmpMD5=836E843D91A13203E062A3B82B2EE0AC,SHA256=A96BE9539A94DC9D0081236E9A70BEF6C705902EFEF6DA2D9DDDC94423551AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.868{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_proc_dump_susp_dumpminitool.yml.tmpMD5=8210D7F59146745B6DB73084B7D2E311,SHA256=4460CFCF77A81FB63902FBF2B1536677D70E7FD1D0626B57DA9F73E535CC58F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.866{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_wannacry.yml.tmpMD5=621B6521AA29230499E01590FD49D400,SHA256=9C7F1AFC5F1DEE21BDBE0B58E4BEADF5CCB0CBFCAA2176A060E1150C552FA2E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.866{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_use_of_te_bin.yml.tmpMD5=CEE3171CAA3754908059FEA696EEBF26,SHA256=BB7041DAFE499B9309BDE773C9E4059484E39AE6CB1AD725AD16EE006EBBB88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.864{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_unc2452_cmds.yml.tmpMD5=BCBF8F1688BC373B5FF855504F6457C6,SHA256=7F1CEDBA00641E2BF43B1A73D0BB9BCF03DCEF94C6AEF645884B9EC20B30E113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.862{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_multiple_susp_cli.yml.tmpMD5=446A9791CFA8A59DF9C21C18CBC51CA6,SHA256=B80264FE146016B2B5B04391A66B534C7B46290AE8931F94CE1B6826C0D3438C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.861{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_squirrel.yml.tmpMD5=4ED65B2ECEAB5BF888B324F4B20327C0,SHA256=3E80C60AD4B22ADCF0FE38FAD73F2B5BFBA1E2E17A5097D0E3D4F146D693F02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.860{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_bear_activity_gtr19.yml.tmpMD5=2C9B220C4B01A6CBD6D4DBBF0E2F94A0,SHA256=1260DCAD55B118ADAFC2FA854B2808C713521BBA4C2179426D625CD53C7E2C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.859{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_disable_ie_features.yml.tmpMD5=BB50829A94EB3210896899F9EDE5AA56,SHA256=8D634DD01B115B550ADC377A79A4113C519A2069F4D76E9565FCA3D95846C493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.857{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_base64_invoke_susp_cmdlets.yml.tmpMD5=EC4284F8F340F132CD3A62522DA306A1,SHA256=AE9F1A007361D71F78E7B7941C1C7FAD6CCFC67D26D557945F3A160368864A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.856{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mshta_spawn_shell.yml.tmpMD5=BF168A9D7512E4A302F492899AD53828,SHA256=B5BCEC41DA01F256DB0F78E51E8BA0746DFC12AD2F14E0F7014DA82E13E40441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.856{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_disable_raccine.yml.tmpMD5=E0EB49D4DD7F780EEE8A4D8BABF81797,SHA256=01BFFBDDDCD7C55EC827DA9A149B1FAE47705A8C75F7BA0FA947A4D1A5A14FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.854{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2019_1388.yml.tmpMD5=C1312684A4B1F4BE7B03726B411BC96E,SHA256=2FA99163AB88505867A9BAC00C489B7734B669743895FA791F3E7748C4C08A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.854{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hh_chm_http.yml.tmpMD5=B409F7A809E23D62966DC0E8534F2B93,SHA256=8B9C9BBBBEEEC9168733708CF1F88F9C1DC813A630698A5CF7970B3DCC6B6E97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.853{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_notpetya.yml.tmpMD5=A958AC2CD8618359646437448D267464,SHA256=9839CF1AF998A0AED2C78F103FED94225D5C611F5BBCC35BA09222B5610B3BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.851{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_icacls_deny.yml.tmpMD5=DB28FF5A5EE04C690DE8D25333937DFF,SHA256=F75BBEF1A6D1153F7197CF2FFFC5E74A9CEB127AB8984E5AED478B3AE453E55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.850{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_utilityfunctions.yml.tmpMD5=1AE6A603B34D8CCD72B9F3B23B1C01B6,SHA256=9444D9AE70A5310B9B03DB44F05175C88A0F36AB5A32579ED463CE5B4D14ABCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.848{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sdelete.yml.tmpMD5=399300889312013A5C80AE8B36EA1A0B,SHA256=8005A0BBD366FEFAC2DAC00453A87A5CC9818BDFBE1092A4CBAA76B7458C1C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.847{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_qbot.yml.tmpMD5=1EE28FF7D20137827E8A1837980E68A5,SHA256=766D8C507673967E0E9C1919C91AC626C7A37FC131AB062F07DE9094CC448268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.847{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-065MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.836{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE8B71FC2916C706B675D6435CA8E9A,SHA256=F9D50114976AB3F36A445B4E65F0D248017B8076A80E908BA778C79562ED544F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.393{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_codepage_lookup.yml.tmpMD5=B8C522178AE58884519717D5606DAF28,SHA256=B5AF61EFDCFDDCC65B1A1B6763E2B9EDA1FE4F537B7F490C0133D377CA39FBD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.260{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_interactive_at.yml.tmpMD5=A337BA85C080A89F7C901AB9903A2D3A,SHA256=2091C7337055B5032E3513B1DC34529807D23AF9280771526498C95F6BF0489A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.258{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE2509CA83D6596562D1E91AAABA436,SHA256=887B315CAB287D81AF8BF70216B6874AFFB4A9FE8CFB5C2096A77733CF2D6B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.257{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_base64_listing_shadowcopy.yml.tmpMD5=5D5EB6D26562FD31EC96BE575F53A708,SHA256=F97EC6B582416E172A63ABC0E698FAE1F2232F5524F0C5C3C304F6C27E5A74FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.257{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA4C301009D2F81B11F5E98BA56912BC,SHA256=82D58663228C0EC518B71AF283CD110534DEBF4885832A1E1B82A037846CBF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.252{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_remote_powershell_session_process.yml.tmpMD5=608E0C59BBB9096C7A7CCEC610C3E6C9,SHA256=35675CBD96A6BBC56855A20640CFAE862319C4EBD6190238817B4FF387756AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.251{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_pingback_backdoor.yml.tmpMD5=95A9CBBBFBC6F9266C092C488D94663C,SHA256=22AE86D4299FBBA5C416AA0C4D1E939D64DB29DB7D4C28176C0E987D44EDDDE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.249{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_redirect_to_stream.yml.tmpMD5=457EA301B4A69679F642B602C818370C,SHA256=8FD342B9BA398DCB3FCCBC3A0DF30CE33E1278AFE1963E05BED1AA472FBFB216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.247{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_shell_spawn_by_java.yml.tmpMD5=30F9C9422A9E46D1B1631F31CE0CC3E9,SHA256=9C264C93FEB6F983C419D0A6CE2B21B882E0B063F0E99E043653E06C31C7B134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.245{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_presentationhost_download.yml.tmpMD5=E4226300A53F76E1FC4EFE3CA63C60F5,SHA256=B604C7DD24811305422A469EBD3A4800144643D10802AEF96908959AB9FEB6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.244{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_network_listing_connections.yml.tmpMD5=B8DF1DFEE1A2FF1B0BCF45DCB0744953,SHA256=21A7485D607DA167CC3D710098075C0A9DC41E9D00E0FEFF4FB36CB0EB889391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.242{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_pdq_deploy.yml.tmpMD5=3E964B1859075700644952D986B89709,SHA256=2FB6A4324946EA1921D1A1C39B2477AFECC1AD34B70CCA79BF0BBEAA6BF59044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.240{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_pester.yml.tmpMD5=BDAF7B40917C0BAB7E67617E579A6F23,SHA256=5C91B3FD875C5444FFAC42F2FADF452A00BF0B72D13B320846F3C1BE89BC6849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.238{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_computersystem_recon.yml.tmpMD5=7F95582FEB7172A7F8A96BD8DA27A081,SHA256=8A9AF7D8EBE5FF61A527D3491F3E1700752C53FECDD953B4FDBB5845AB7A9CF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.235{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_network_command.yml.tmpMD5=B9893773078AD885E4FE2C1B16C3AAD8,SHA256=A13AF0F70DFD719E5A77300EAAB2808F15AD7F349F19D0A0B97F0FE9CCC7A972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.231{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sharp_chisel_usage.yml.tmpMD5=31973E6A0081A165B510AC0A9DEFD09A,SHA256=586D5E8B01A506445A2209C32CEFE19A67732D49226B93B741E8470822AC29F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.226{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbins_by_office_applications.yml.tmpMD5=B344AF473780B8AF4958D61538607A6F,SHA256=97F207ABC4098E17187AB22892A0C95668084E6BB07B5B17AC27D57D4119EE40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.224{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_instalutil.yml.tmpMD5=253E33E89FA4ED7731B27D227CF1AF66,SHA256=3DCEFA8DEED97BDC5EEF4EBBF111AA038C3D95E2D758DDCF77BE38FB70CB5B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.222{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_sharpview.yml.tmpMD5=D897911423C0AF43C97B2BF3319B2346,SHA256=D94BB1F8FABF219B2B3EAD3E62013F5191C2515BB15EC0B23109D511EC6AD3F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.220{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sysinternals_psservice.yml.tmpMD5=C85ECE75AF55EFEBDF1A7AB4E44A1F1A,SHA256=C778988F3208B1AB24FBBD3303732BCFE45E0BCAE1D99563609586A0651783A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.218{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_plink.yml.tmpMD5=E5EDB58C754A874117318AE16E1934DD,SHA256=23F37C1F6AE2F83D0B908EC23EFD4170D5FA451C5B9843DA964D5627A18B40AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.218{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_installutil_download.yml.tmpMD5=9BC980910B587E124A51ED6BE65BC7E5,SHA256=C25E4A0EA04A85A41D4BD66FBADB6B25931EBB75E9EFBF94A7DDF6D5E03C0207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.216{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2020_10189.yml.tmpMD5=AEA4F26540F54D5BA47AF18962748635,SHA256=6C902C5883F627FD58E1F9862D1D5630D2E444808AE1450BAA071BBFC48932D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.216{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_bitstransfer.yml.tmpMD5=956C5F471DEB644CA8CC58E7FFF54719,SHA256=DF7BCF067A662ADC5E0E61B8AD55C60B2B4EF90F93B35EFED4A226A9D67F0B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.214{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_user_discovery_get_aduser.yml.tmpMD5=27868BFFD5146626BFF7500D769FE523,SHA256=7347857A2974E25C601B879AA7D92BC50280D1B3A661D30CAFC3608043CC7B19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.213{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_turla_commands_medium.yml.tmpMD5=982F32EB3854A6B3318C2FD1CF87A59F,SHA256=68730C5E7911092AFF51694ABB4E844B31B5E133CB98887F0CD0E2BE7DAF7AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.211{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_electron_app_children.yml.tmpMD5=5431CE9A534C4C476CADF4AF6332246E,SHA256=E69CB457F70BB7DE56E1F67F4A2C253A1CB276BC31BF566204F2F47B2D2B40AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.209{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_service_dir.yml.tmpMD5=5A5AF3CE5739FD514B51E0040232CE67,SHA256=44D1FB382ADFCDF1DA067B84348ED973DD6784D755F5F85765237004E1B73DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.207{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_indirect_command_execution_forfiles.yml.tmpMD5=3266241F3DB1A7B395328E7DF8B9262E,SHA256=40F33D5E5A11DDC7F333045FE0B56CFD6A69EFDD1D83B6FEF22CC00C1F83488F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.205{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_remove_windows_defender_definition_files.yml.tmpMD5=B6867E2CBFE9BFE07E0BD262F306903D,SHA256=68B86AA4A819B0FA3E7AD4E7750001EAA0978D1F159C28E2BD7804AA7BCF38C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.201{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_wuauclt.yml.tmpMD5=5E43D86B65F6249DE82E4D9AF9A85CCF,SHA256=FEB12FE8E3F8B19B66CE3CE43B240A4404BD1059FEDFD3D87EF39E88BC1B4238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.200{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_execution_path.yml.tmpMD5=FF97A84B48C3430CC83C6C0F51C10033,SHA256=4BB7FB6FBB0AFE3D3BE82D765D8DE19927128FF6803E86F9ED1E9EC6142DA266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.199{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ntfs_short_name_use_cli.yml.tmpMD5=F365957857911E74F864D61E1532A06C,SHA256=3C44BF88F9F61B913F0217D2C809039C3AC3345510E9465F46C47F97AEE0D957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.195{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_sam_access.yml.tmpMD5=C12F44BF066C354F8238AB0890684D3B,SHA256=9D71CA6BA41376B7907F5C32D3A18F15D9526185E17CB5BB9021245F34D90CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.194{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_enumeration_for_credentials_cli.yml.tmpMD5=254F326BB2BC3FA5A0DFD60786EEC4B2,SHA256=7013C161EEA32D81F9AE27C43A2EE53B22A2D3AD182DB49B9F900CE38BE0266C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.189{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_procdump_evasion.yml.tmpMD5=C7D6743B4B282713DBFCDDFF89B82334,SHA256=37428B32F73D7A5E54D263D6BEB8E475AFBA25B3CBEF45350A545AC22984E10B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.189{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_shell_spawn_from_mssql.yml.tmpMD5=FA966DE62040FD5088DEB25DFB66B19C,SHA256=6392B86A5632D486291CF4F9F025588883F6A6812D8C312BE1C3ADF1316D04D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.186{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_runonce_execution.yml.tmpMD5=FD05C54F7FC5763F87D1BD2741AE7ACF,SHA256=B1B6FF84FE2ED74162C11E9D8D107AAF8DA4E8475889FA58B3BD0B450BD0A2CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.185{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_logmein.yml.tmpMD5=FDE67D61339E79A18F5A50988A83A935,SHA256=D4F928BEBAF397E7464655674603B0BFA87B6DF82090C30BEE74AC5FBD4A0D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.183{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_svchost.yml.tmpMD5=0A6BA1AA8C2381D814BD3FE351566EBB,SHA256=361767334551A2038D500913BCED2C3442CDD7B53861B74A5860A9C87DFD5EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.182{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_cl_loadassembly.yml.tmpMD5=BECED15C8BFBA19F02AE8D688F3AF39E,SHA256=08E56EADB2DA0FFD55EA2F0DB9EC7C2246A263317B2656090E92056BE84DA1BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.181{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lethalhta.yml.tmpMD5=33399D576DC963C2CEFBD8945C9C2907,SHA256=EC54AD05D49BB44CA75841F73D9BBBE1F3BC0F2D471A76E52A09D629771BF9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.180{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mimikatz_command_line.yml.tmpMD5=AE7CBEC4E717452919A17893512FA12B,SHA256=2BFE4EF99D17B475BFF8DB5E81C3DC5483EE015E9D9A310603CCE0FB8C341C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.178{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_winrar_execution.yml.tmpMD5=F13A78927E6B4038684FBFFDD670D08F,SHA256=F7C7ACB6840F1F5C3D52EB4F0ADE5F5B2C2E0949AA6309EFD217A2A76BFBF206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.176{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ntfs_short_name_path_use_cli.yml.tmpMD5=472E762F122F987F3036B37289F8D4D2,SHA256=05AC84976D20342DD4ED9550216266DCFD83C944BC2E384E5481FFA024D423CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.175{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_inveigh.yml.tmpMD5=8A2C86D347329C707AB458D287778EED,SHA256=C0C9A3BB3BB6F9F503ECDCF4C36ACB59F605698B44A4D85249B7FAC722C3623C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000841794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:29.667{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54106-false10.0.1.12-8000- 23542300x8000000000000000841793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.174{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_crime_snatch_ransomware.yml.tmpMD5=67B515450E0C6E4D2EB84F02639FED01,SHA256=5BEEF176B7A8460FA875BA4E231730DC3C1390C4F400E182AAB279E8F4A4F65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.173{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_creative_cloud_node_abuse.yml.tmpMD5=DEE9DB6F891398CC10593BB263F561F3,SHA256=E185884607FD28C9D317F45BC695D4E8EA4102A3271C1F69B6CEB48D0DB0AE62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.171{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_silenttrinity_stage_use.yml.tmpMD5=3FE60422F00EFD152C4463CBB027E508,SHA256=A4E18DE7D7F97386371294A8EA76475E3455E7750E06CDCD5E4B3127B52F8ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.171{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_file_characteristics.yml.tmpMD5=8E0FB2F79C441567C5408590449AFBE2,SHA256=2ADFED77676F5FA061F1DC24DB0441BDE55E7CD73379B165389F80D24CCBA23E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.170{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_net_user_add.yml.tmpMD5=275FEE1F7BCF7A6613B98825AA59C6C9,SHA256=85A4B361864BE3F8C30E40F96CF57669C06038FB291CE114AEC33B03567EDC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.169{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_ieinstal.yml.tmpMD5=77370869CD9EB3601A9C6870F4D02A39,SHA256=0DA49B4376AAF7A46E6938467F4D4B02660C460E89FEF7747D3EA338FB72B7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.168{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_rundll32_unc_path.yml.tmpMD5=842DCEFA7701D44BA38CDFB6CD2CEE37,SHA256=F64CEB58F19336060EC1C9E44503C3497339143B6CBCCAB1F28FF600C5F2F5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.166{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_grabbing_sensitive_hives_via_reg.yml.tmpMD5=8A15ADE49B347F43A34C96897338142A,SHA256=7EF6B56445D9E07AE74F1BE64F74BF16623A7C67C18B6A9BF445EFB682C76B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.165{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_diantz_remote_cab.yml.tmpMD5=E58A1CE75793342B1EC0E822BF0C0D05,SHA256=3ECE9E8CDD198BAFFD47AA29523E962A13F8692E7A8AB1E7736C9627F81E64F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.164{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_adfind_usage.yml.tmpMD5=CEBCB4B39640C85FD3F530E6F8922863,SHA256=3001C4B22204F88858303AEE1FC0897049D05378B7595B4D8B281DFDE6DCAACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.163{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_use_of_csharp_console.yml.tmpMD5=1592CF8C76E37C5FF45D8D15BC995415,SHA256=BCD9747E274D38F2AA0B1329C456B7B43FB4DF0CB0D0C09BF936A290F0705521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.162{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_jusched.yml.tmpMD5=EC70D35EFAE231985C399B2925A3246B,SHA256=F00437F1D4467E8C17DF0C4D7F7427EF84260AA6A875A7679CD6B833E988BB6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.161{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_whoami_as_param.yml.tmpMD5=E10F6E2881321A2A0598BA9D89109D5C,SHA256=B295369B4BF4182FCFF586A97C30017FE8D015A9F3C9AD08FA0A2C17E70E1A83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.158{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml.tmpMD5=ACFF42976300D9C4484A509D360DE8FC,SHA256=2622C71A69C6290DECB62D7ACEF81F18CFD3821E3DD9AA4F1177BE4C2D9A9D4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.156{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_always_install_elevated_windows_installer.yml.tmpMD5=25C6254A70264CDB56132F4A861868AC,SHA256=7BA30981C91796291D75730D0C12031F526BB78EDFC7A6BDF43A6AAD3F5E7470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.155{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_sourgrum.yml.tmpMD5=412B82541F104409CBB862D16440B069,SHA256=46722545052596C29EACD7959AE0B6FF5379C1EAFD8FB322BE295093344C6EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.153{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_winword.yml.tmpMD5=36C28D369233F02D90F1830E11D06E3F,SHA256=0FF33639EE6D8172212EA7B12ED4C4C444675428EFF51B499968AA0EB1011FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.153{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_impacket_lateralization.yml.tmpMD5=B17289A15E34900BE606DC17713D9AE6,SHA256=DBCBCBEEC75E82F6151311A9ED50BAA8692D0286FE49D17198BBDB82A3B4E4E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.152{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_actinium_persistence.yml.tmpMD5=91AB9BB28C745F5D21B1D66DAC8C47CE,SHA256=94FE7F3C3A3B4C626B0EBE3F9CEB41313D4CDE438AAE0AAFA710590EA230D1DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.150{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_regsvr32_no_dll.yml.tmpMD5=9659B573615121CE3C531F6622F0357F,SHA256=FB695517B0BBAE5B3E7630A56E73853D21A621C3E1C5D1B3D4D05E470DDA9C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.149{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_clip.yml.tmpMD5=359EC12E04749E395B80999C4A54EC72,SHA256=4590DEC9061E9DDA694CB8D83B4AC6CCF680BBD00E812EEA0F0E4E3C5029422B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.147{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dnscat2_powershell_implementation.yml.tmpMD5=EFFD485560ED23BCE21B112E6209D6F2,SHA256=26B5120BBA4430136596C4A4E57DA743B170F54EC3C2F54CA31F5550C9354E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.146{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_user_temp.yml.tmpMD5=49C470B56A8BEBDC7E67439156A80565,SHA256=BAD95C1AE925FC180D7B85BF2996B5E8F524EDC0FB2EDFFADBF06EC024FCF02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.145{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_conti_cmd_ransomware.yml.tmpMD5=542869233EEE48104E960B79F5D6DF58,SHA256=27595E0F23F10084E5A2C2B1162D8B4ED2786500257F68178864D0E1AC4A236F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.144{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml.tmpMD5=BD42FC7BBF54A4C51C510E961F3DA884,SHA256=C6F302F6E522E5ED14D925C730643111634E2BD6DB37512B726AC4AB7AB62EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.142{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_web_sysaidserver.yml.tmpMD5=0D25E9A7020A4017BE4E26691112C989,SHA256=D471A9BD2F2926B526EB1CD86BE5A2A824495F834072D2C125B1A16CA61C9593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.142{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mal_adwind.yml.tmpMD5=D193F9B62922EA7261874879D9D78EF2,SHA256=B618EB0862AA89CB114C8531F5D1B711FACD734886E266D6DBF745179E9E30F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.140{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_trolleyexpress_procdump.yml.tmpMD5=524C4D43DED9DC7A599E938C7D9EDA96,SHA256=B367160AE053C063ECBAE61AC0AEE3FE7D1339F3E9B0073F5A0534F67B7B16EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.138{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_renamed_dctask64.yml.tmpMD5=554ADBE59490AD2402725C88489FBB77,SHA256=5009E3318F0055E5805DBFB955F4BF61C6D869E8CEB532CCF5ED170841AC7C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.137{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_dllhost_no_cli.yml.tmpMD5=1FA6FA696CC246D0C20FC66A08FD6EDA,SHA256=AB36007BF6A16E94A7DBFD803B8C635DAF212F30BD398CDFFF6E4B44FCC43681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.137{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_mftrace.yml.tmpMD5=D172A86B0D4706317BF0ABA124A8BD83,SHA256=367825245D62892C2B16272374E580C6CCDA0A059F4471D5780564C59D8D4C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.135{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_deviceenroller_evasion.yml.tmpMD5=B2796E9006B041BE8EBDDA4902269563,SHA256=91F33E1CA75EDF2FC6592D1EE1AC80CF80C371F0478A65A92FC1518130DF4033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.133{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_explorer.yml.tmpMD5=232A6D1A8FA0D75A892FDBB759B1739C,SHA256=77CFAAB8AA125C76549E3ACA644071B58A70579332DFA4B38F2F105D7B066B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.132{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_7zip_dmp.yml.tmpMD5=8D102ADCF207EEB0A688F1F0E0A4B676,SHA256=998C7AB898088A973577B6A7A699B5E6EDB18DA2C213EC0BF46CDBEC1C140CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.126{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_spn_enum.yml.tmpMD5=94969AAD0985C92EA0954C53BC0AE6B1,SHA256=4506720F080F83A440AD136739E8503218A717CF44664C3AC696BF40F12CB0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.123{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74E244E924F035FB9354C14F557E740,SHA256=AD487D0B789069ED41ACFF64D445984BEDA0384A266814DBCA9EF24216914815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.122{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_empire_launch.yml.tmpMD5=F90FD2A44D07D780786E2AA46E7EDFCC,SHA256=C18431240517856F662E590C47B47FF317A38AF13B62F8273C47FA4324243A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.121{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_teams_suspicious_command_line_cred_access.yml.tmpMD5=3BECC014938E4B56ACA4A1FF17B153AD,SHA256=D9098B0F3FF35E3B175CA0F5ADBA72FA4D458389B03EFF118ED968C1B11473E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.119{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_net_execution.yml.tmpMD5=3D585CB416F0AF3F485EE3CEE2031416,SHA256=28C01949AB067358A7086A1C0E9BD6F956F00C3841465601239B22A518ED234B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.116{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_advanced_port_scanner.yml.tmpMD5=EE1AEC64497788FAD5DF9F08DD167267,SHA256=E4240526EB118D9C33A09F0EA19C9368D37F4A61C830FCABA841CCD3EBC703F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.114{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_download_patterns.yml.tmpMD5=EF3EF6D62CFEDF616E564E6DE4737A3C,SHA256=C3A0D74F47B9006C7945793081343B94B46EC15E92C97433795A03E71F040F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.113{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_systemnightmare.yml.tmpMD5=F04D78F35DA58C9148F485122E1341ED,SHA256=AE57311EF299DD55CA3646B96A05906BDC60ECA6E4D5ACDD1CC01D335F459413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.112{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_mspub_download.yml.tmpMD5=341DF48F54F110B1BEA55A71A2662C9E,SHA256=D18F3D5D75B69A3BBA457EEDEB1E9A16B81E68EA4A5D309CFCC4DFE376A32E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.107{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_calc.yml.tmpMD5=574163460A89D034617FCDA0DDDC01F0,SHA256=F3B3AD280D50AAD701D9DC5D067B62EA5691632CAEE0EB2262A949E3867A602A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.106{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_regini.yml.tmpMD5=9541B10ED7A551083AF89C53D122C35B,SHA256=BBF8E5EEE5CAF6C0509588EAFAAD00A284A47D3C85A4ACEA29B559B1B80F860A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.104{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_adplus.yml.tmpMD5=D5D053B75B0BC3AC5514512C23B7B852,SHA256=695A4AFFA291ECFF850B17FEE545CC5CF51E8D20B01D0BE64E1688212390804A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.102{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_defender_exclusion.yml.tmpMD5=D6823CF0724E905D411F2B5EC5706708,SHA256=AD3F83C754C7366F603CA81E2A7BEEECBC36D616072AE6509E5432F3A68A200A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.100{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_findstr_lnk.yml.tmpMD5=80B784F1B0817054AF50233C50E34A9E,SHA256=F020E138EACDA5EF7ECCD17CD10164B8F8989F79C492B86FD08C3BEBB97B1703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.098{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_hafnium.yml.tmpMD5=01213DA6639833846BCFFE53D11979CA,SHA256=F2CB6061432E456441DD37784C86A485522EF9513611CB122742EC7B94ACB05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.096{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_sideload_link_binary.yml.tmpMD5=C9731480F9FC06CDCBD4D344D4BEC778,SHA256=F33727D26FE80CFCB6EA29D2097E72179C50B6982229B2C94E1F5E603C4F9EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.095{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_new_network_provider.yml.tmpMD5=DFB654446B82DB13AEFAFDFC733C8462,SHA256=D60BE400190DA3B8D918D6A630268CC36FF489634089507544E86889ACC21069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.094{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_csc.yml.tmpMD5=5B2DC4F3ABABCED0D10268B953890BBC,SHA256=712417651517F6272758484FC05C463642D63392134CB57889FB37E3FB5AE561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.092{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sqlite_firefox_cookies.yml.tmpMD5=7CD6BF669AE0FAD714475C3CE2952113,SHA256=ABF39636E21EEE5F1904B1CA8B0C7BE181D97825AC9070D4916C761441DE50C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.092{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_char_in_cmd.yml.tmpMD5=6F0ED938496A48301DC57955D0C2E1A5,SHA256=114A40F873D77F3F8E7BC85305B95A93D9F9A8AFE1911B1DE2E67397042FEE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.090{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sdbinst_shim_persistence.yml.tmpMD5=7297CD91924DF65130826E387BE6739A,SHA256=C4BECE2844E3D4E37FC34D5D53E55197C7A17FB8D87877949484FA938B5779F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.087{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_service_dacl_modification.yml.tmpMD5=E654CBE22C4A51BF277E14D528D6F0D2,SHA256=E40071FEF2DA64CE290C959E8C8F126DFC8CD6C4B3834B1DE39AB45A46AFF2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.083{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_configsecuritypolicy.yml.tmpMD5=B9C57DDBF76C828C528BE61ADC1C767F,SHA256=3232BDB2940F687C77A7A08AE50442BB182B4B5CD6576DBDC3173C99F20DD8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.077{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_screenconnect_anomaly.yml.tmpMD5=69BF9EB8872CD9895F389879853E7D66,SHA256=2613FCA521D60AB817846EDBFBDE0FB67BB642F4CF04906FD04940CC5B483869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.074{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_zipexec.yml.tmpMD5=BA2E517EBC4DCFBDA580A036704E3D86,SHA256=75BBA0AFEA73E6159987B40D80BC1A8D176A8A7D102EC03E6A73621280208D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.071{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_jlaive_batch_execution.yml.tmpMD5=0C17621B866C7338B460CEDF3DC7587A,SHA256=16D68ABDD8A619748C4BCAE452A5B70F87DC08BA6FE906B73B98EA6E0CE41449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.071{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_tracker_execution.yml.tmpMD5=1A71B153E2251FA9040FCDDF8BB42407,SHA256=5250C19D9728C1F05600F731535C973F8346C908DB320A5EDF3E1F5406CDD8B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.062{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_control_cve_2021_40444.yml.tmpMD5=60BF0508ABC9E2EC184D4D99DD25A642,SHA256=CBB3283256386F89A1F1D6BE5570A46FE71CF5DED315ACF04FD55E64CE90989F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.062{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_purplesharp_indicators.yml.tmpMD5=85C1D960C9421E82DE3667B06CEBB82F,SHA256=D6569ED7EEE0B7B1B94E70FE5B6641BE0C21E45E9912EBACBF82EA12C8D01AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.062{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tamper_defender_remove_mppreference.yml.tmpMD5=BCD4F7EF9A4A1F486914CE183FADCEF6,SHA256=3D1AFD386633957F2B89365CE945A7840789129FBB966F83FB86F9E13A644CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.061{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmi_spwns_powershell.yml.tmpMD5=8B5FD07991F714D9A4D10ED02E8579DD,SHA256=AC707E0F09A2B0182799DC5C169290E0D8E2E83CCF8B6B9A9FCD37A3EB40AFCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.059{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_iis_http_logging.yml.tmpMD5=E0F62855D7EDD423E6178F147AE67C19,SHA256=D5A1A1DECA074ED330B53A01D817880A248B3624E3DC1AA02694F29B06E9B860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.056{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_webshell_spawn.yml.tmpMD5=A6EACCCFA267E4F8CCB1F7F2E7FEC7DD,SHA256=D66B80713283201F593D322AF38FF4435A533AFF416AF25D4DCC8203FC8831CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.055{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_encoded_frombase64string.yml.tmpMD5=D8D45E4775A2FC4978CF4F3A29579914,SHA256=B3EDF6E15A052D95ACCE248E1D7B637C68A838A0B96817A127B2C9FD57F8FE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.054{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tools_uac_bypass_computerdefaults.yml.tmpMD5=63975EFEE92B37BA89F124DEBE282FAB,SHA256=E69DB726634C93887447AAEDE7759CE35068F36AA6F82C80DE01E797707BD407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.053{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psexec_eula.yml.tmpMD5=0ACDAE2189262E1D1061FBDDD9096573,SHA256=768A2892A9BA563D244A97FD3C7C12F07482D1F0F2722915D9A06C54B148EFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.051{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_js_runhtmlapplication.yml.tmpMD5=707404202F3A8BC18E3B7BD597BB2D8B,SHA256=50D7E56260353F411B839CCDEF884830C57EEFE57F5ED18E6B0306DBD11F683C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.049{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_diantz_ads.yml.tmpMD5=54770CF53383D5C19D979564E66D67DD,SHA256=5D901F3182808B0C7241C09F78B7491F7B4467AE6E86754362A300363C4622F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.048{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_enc_cmd.yml.tmpMD5=8AAFE93CB1B920A84CEB052B2AD14F0C,SHA256=8E97CEAF3F9A1CAB4D24282F458B65E73D83BBDB83AADEA790138314A8923E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.045{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_env_folder.yml.tmpMD5=6E272B7513C327E42F49B3CDC0DD6EA6,SHA256=D964C2C6575FEC11AE4E9885682792366372A6058CC65FD3F5AA68DD136046C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.044{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_remote_desktop_tunneling.yml.tmpMD5=98CDD767F89D638BB1EBC5D1397EFEE4,SHA256=45BC8DA166A7A936940C8AD4EFB323F7773883E24756651868374620E26DC16D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.042{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_obfuscated_ip_download.yml.tmpMD5=D15958A4A98115BC3601E875C6B6856A,SHA256=F8F2910AC6938203212448333AD84EE7F32A066E89E8AA16DC89B8235C0D556B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.034{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_iis_connection_strings_decryption.yml.tmpMD5=46CA17177C337BB3F012EDAAAEDAF0A2,SHA256=9972591CC6E5FE1F44E7130F9B4F4697E53FCB01CEA6954A96B9BC6CEE5C3421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.033{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_public_folder_parent.yml.tmpMD5=3F48EFE799E3A6F7C9650BA43CF3929E,SHA256=1E43EF86307CD87827F66F59DD5565DAF618A61F29BDF2EF5C35E67575FC5AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.031{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_mshtml_runhtmlapplication.yml.tmpMD5=F05C36601C203C3B3715CD12EC917AB2,SHA256=55191C979728527D9988985B2676D7D37D7E858305EAD215DBA0C609EC31AB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.029{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_cmdline_specific_comb_methods.yml.tmpMD5=F96FD131336A636675C28B16B2C3539E,SHA256=6A9AAC754A853106216ECBEEA1C2DED488538B7CB52ACADA4AB89C3D04F7DFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.029{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_dump64.yml.tmpMD5=40ACCB84AFA976052BAB185C215C49B4,SHA256=B1C4A5C489A881203428B4779F52E94EAE5AF1F7A1738612AAC52D5405AE41D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.026{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_pchunter.yml.tmpMD5=3982CEFC02D2F33A4AE1380858FBF30B,SHA256=F7163EC3C5BAFB41BDE481E95027B48BD446839A2DCBD12325F1A27EFC855EB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.026{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_16bit_application.yml.tmpMD5=BB843C4F55AD89F0BC4CE23245CFCE82,SHA256=5EF39045CC488275D061962AF51A359E5E59EBAD59DBAFEA6C8698E3A443FE0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.023{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_w32tm.yml.tmpMD5=9D6BD2AD35C61D017747BCF9699830D8,SHA256=287617FB2001ADE3812A3628785D66DAEA07A1B514EF223F96D54384D3F23721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.021{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_cl_mutexverifiers.yml.tmpMD5=4607EF06AB94DB8063D252D2833E5839,SHA256=629C519C34C5A52C8F6DB3ADD5534F1EE2133E5B120E4550B566CD42289F9207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.019{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2015_1641.yml.tmpMD5=10A142BF5A30AFB6E9209A4BEEDB1B77,SHA256=EBE0D96884021277A07C8717BEA45D62BC362F0C1A6D7A6E1C33AEC3DD221377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.018{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_bcdedit.yml.tmpMD5=8F13F32980E093B09B58556A4AAB3CEA,SHA256=BC33E1545729E29C30537AC1446838E59BD4937EF5594FD957D519943488648D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.017{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml.tmpMD5=693130AAC3C0EC97C9256C3A546EC811,SHA256=05613C106AB1D3E1C9ACEE4D35E764B470D648C4131ECF5428569107A0604935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.015{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_amsi_bypass.yml.tmpMD5=54C22F1A067EC222E0AAFD1396FCD6B3,SHA256=ACDDB4B5CC7F8227F57758A16CE9AB5826D5A143F25958E2B4810E8643E80280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.014{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_whoami_as_system.yml.tmpMD5=D431A9C134B7C1877023E68E556415C2,SHA256=1B468AF8695845432BB0A238F134C73F7C60752B5E3EBCF78F26719E143FA2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.013{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmd_dosfuscation.yml.tmpMD5=D6214F5F356AD4689ECDC182F7E84945,SHA256=C0C430321C560123BF14D1E1502F458A1AF69201AA18FC69FB743EA029A6ABB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.012{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_where_execution.yml.tmpMD5=1A7B9BCB8BE134A4D651BD9CD6CE7FEF,SHA256=8BC4E756469F6FC9CA61E2D221E88528C2040B58CAA7933814CD515F051893ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.011{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_7z.yml.tmpMD5=0EAC548AE29B455B3ED573A4DA5D7547,SHA256=DFB832B94121D0A973A20DA11CC8919DABD33E44646DCE50046BE446AEE6B67F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.010{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_device_credential_deployment.yml.tmpMD5=E6807D65F4BB4C2D7578070471B73E5F,SHA256=FE572E4690964E680D4D1653000864ACCFAFEACD7832D8133BAD66272EC9A7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.006{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_win10_sched_task_0day.yml.tmpMD5=74FFAE7BB2C319A2C6C3CE742A7C23EF,SHA256=E0FA2AA74F3BC849AB85217B4F173F742BF63DCCDCD8DFEF1F4D0BBAAD7400C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.000{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_weak_or_abused_passwords.yml.tmpMD5=FE71A8E3D24DF5076E27D098524FEC4A,SHA256=F63A55B2E666C13B6FB7955DC55ABD1EEE370851FF21BC779D33D6256104E8A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:33.141{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651275995E176060B9A037A7E5E48E36,SHA256=BB2FF970F52A1D51647A5F272993EC20DA49DC6DB72D180BB428E5FB5D3A2A43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:29.796{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50495-false10.0.1.12-8000- 23542300x8000000000000000842346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.632{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_wow6432node.yml.tmpMD5=C0F46C3183ED3B4644C9B6B405EEED42,SHA256=186CF728A023EECE130116B5382CFFBBC2541974F21440C0C1F80944539E064A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.631{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_ttdinjec.yml.tmpMD5=DD31F8E84B1DCD2D507404B4C18C3A10,SHA256=9169D7BDB1CE73B7A63608D386D00C03607E99ADFC394D2C06AEA286857F4868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.629{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_susp_remote_thread_target.yml.tmpMD5=0510B620E9443BCFE1EBEF71ADF15758,SHA256=630BC3973FAA9EF1F77A79F44272C6865ECC304CB529C297445813B5770C0EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.628{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_susp_powershell_rundll32.yml.tmpMD5=41B6DA4536744D4FC088AB48A21C8940,SHA256=71465ECE818230449B4D59DD450222AF1580D9729091F0356740A6EFC5CE3C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.626{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_bumblebee.yml.tmpMD5=B8AABFCFD349B53D97CE4D0C0B139D28,SHA256=9167AD20DF6266911DF6BB5DF0D0BE11EDFBBF4FBE4CF830D543F993AC9779C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.625{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_susp_remote_thread_source.yml.tmpMD5=59C99896F87F643CCF2038016B47BF2B,SHA256=D7142F5B25C7B14B59A4EB8AD0C793866BA098EF4F731C90ED3648CE1AAA1BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.623{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_susp_targets.yml.tmpMD5=7C257E54DA801D872DE30D72FA7CD762,SHA256=8C64F7A7DFF9D0BEB8B7E52551ECBB050247379982FC0841A684E98D0EA5EC87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.621{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_powershell_code_injection.yml.tmpMD5=58EF4B0BE9DF597BE822BC2F8F94856F,SHA256=7124A4FD906DC454B5A1764442DAEDBC19C0CA7EBB7C1B396C66705D2A29D4D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.619{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_password_dumper_keepass.yml.tmpMD5=BC5DA5DF5425F25CF3AFFA6674D3CE9D,SHA256=BDE9E7541DE297410E7BB95A2AEECA06D6603A7681C3FDAECBC2D7A1DDEB7C99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.618{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_cactustorch.yml.tmpMD5=0DA5DE99CB3723421F265BFB0B89A22C,SHA256=E680DC9C48EC83561B8540FD3BECB58A10CC8409C18ACB89ADE95B2D63ABC242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.602{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_cobaltstrike_process_injection.yml.tmpMD5=F6E64E2DBF4E243A963C63E9EC9ABF6A,SHA256=40ABC604D440592B56C0B2BAE04DCE8802D26F32C217D0BB70A9699D2080A110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.600{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_password_dumper_lsass.yml.tmpMD5=8913677978132835FEF025EBA24B1C5C,SHA256=C04DFAA2505463A1258D9FDAB5D591BC28FDD6B986A034F4A9000592AAABC05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.591{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_remote_thread\orig--create_remote_thread_win_loadlibrary.yml.tmpMD5=7213093C659683033E7B803A233EEF8B,SHA256=73E6CC4FFF3CC0850CDD38224D90A8ECFE3ED8E130801C71680439819B0E3169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.588{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_psexec_pipes_artifacts.yml.tmpMD5=DD2E491120DE9BEF5434333FA2AB9652,SHA256=16EA5B65413DF678DDAEAB57BD741FE391E207C4F7394FFDC9B9C95422EDC957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.586{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_koh_default_pipe.yml.tmpMD5=6914C444382F89D90ADF542A5F0FDD4E,SHA256=B880273E90D9F5F12AE3FB1A4DFB9824BCB8D4C98A24109940120830411E600C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.584{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_psexec_default_pipe_from_susp_location.yml.tmpMD5=AE18AF2925E768067B7F7ED802DE65B0,SHA256=1CAF7535580BE1956345B594BF5B16FABF3D28A36346F2ABE645692AB18969B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.583{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_susp_adfs_namedpipe_connection.yml.tmpMD5=D2382800A76BFB7410B93E94314ECE32,SHA256=424B2E1F593CABA6BF4E90C70A3C37FC62461112FA0840D712C303B8DEDCA65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.582{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_efspotato_namedpipe.yml.tmpMD5=FC415AFFA376BAEC1FE9340FD223835E,SHA256=76811FBDBD72380C17FE9B983208F9A3F61DD73AF3E2BAE9FC3AE83542D0FC00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.582{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_mal_cobaltstrike_re.yml.tmpMD5=91129BF3319633A015EA1B8227CD9A25,SHA256=36F8F5DE0AF9966D2D3C1C4DD1CD44722D4BBC1ABD400CC0CA2E5C209C83971C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.580{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_mal_cobaltstrike.yml.tmpMD5=111230AB02F65D0428833E35AA1C4928,SHA256=8D3BE8C8B3C00295B848D5061C850B024B827A35FFF756A6FC3AE575DF6952DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.579{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_susp_cobaltstrike_pipe_patterns.yml.tmpMD5=09ADFED8824998814CAB6BF5B9B5398C,SHA256=06DDEC4FCBF8221C23EC42BD5EDAD5B50B725EAE99E9BB0118CB8F5644E166DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.576{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_diagtrack_eop_default_pipe.yml.tmpMD5=A787F23CD5EFCA1F9E47DA6F2F26A4A7,SHA256=FF3219379FAD69732E59B5182972E2606F58195B250F9707AF1254DFAB86113C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.574{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_powershell_execution_pipe.yml.tmpMD5=915AD3394565732290AAC2EF57F0527C,SHA256=98FCADF403BD317BF8023DCF1DC1096DF1C30F49DB2B0B7AD1DEABF18ED1D40F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.572{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_cred_dump_tools_named_pipes.yml.tmpMD5=D1D5A8C5D66E1E6BF4AB67341DB50AAC,SHA256=C8F544F29C05A5C3EAF5A291174766C2DA9695760826601BA1263F9C6EACD818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.571{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_alternate_powershell_hosts_pipe.yml.tmpMD5=6C8EF2459B2962DABCFAED12284BD241,SHA256=91974332A003CFDA310FF6E9949C9DDA85B8D951B00356E3914A7CBE951AB2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.569{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_paexec_default_pipe.yml.tmpMD5=3C547F3194F87831F1CC4BCEEE71814D,SHA256=5979E20D880D0BAF69A17F0661DF694E45838DEFB0E8279C4B60F8452B33FBF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.567{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_psexec_default_pipe.yml.tmpMD5=8B93DEE1F1F06C5CC7807E560F02C50D,SHA256=439FC936F010509AEEAD2C42654118E77265B0D50E5D6DFBE569F2E6997E0D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.565{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_susp_wmi_consumer_namedpipe.yml.tmpMD5=EEB76A92BA7C3C328944442DDE3BCC48,SHA256=BCEF3773435FB532110538DC7F5EBE7FF9C8D7FE0E83C7944A0669C71B3790F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.563{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_apt_turla_namedpipes.yml.tmpMD5=302C502AD78984B1EFD64152620C0F37,SHA256=F09414DA8E915206F33E1BD08AAE5339248787964C4E02176B9F000E7196AF1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.562{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\pipe_created\orig--pipe_created_mal_namedpipes.yml.tmpMD5=5318D2C63EA4ED0B3BD158FD5759A3C7,SHA256=7151B95B57F7D11ECA08A1AF6CE3372D1A4C265B8DB8BFFAF9BB585E335FF727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.559{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_hevd_driver.yml.tmpMD5=5C60BA1D3F0D0F0A9F9EF83BEFE472C3,SHA256=E2AAF8094F74A3A885289A6D312B78188DDABC85D39BA3B8119D7EA4DADF792A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.558{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_powershell_script_installed_as_service.yml.tmpMD5=9F99066BA8A41A237612EDA0ADE90CED,SHA256=07C87EAB2B09D4702E947CB774DD17DCD7DE9F65792D1793BD4ACD3DCA559086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.557{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_lenovo_driver.yml.tmpMD5=795C15A0357CC13DE80B54D871B028DE,SHA256=5A4538FB295BBB2838F84AB0078B177F9A981B9EA063D64582D2968FEEC54476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.556{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_process_hacker.yml.tmpMD5=7B3C2615C3EA91D9357EA1204C395E44,SHA256=F59728445467D4E5BDC594A36E48CA2C5589FB204D1A6E75DD030535E84E1694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.554{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_drivers_names.yml.tmpMD5=22B579F00FD9CBCB214F4081D2084AF4,SHA256=E02DF5217EE1DDA372D7E096D0A34932C90FCE9082E091A1C6AE215DA48ED884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.553{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_windivert.yml.tmpMD5=1D664C6F1B0B6792D2B353B932712FAF,SHA256=186872BA2E234149E416BD79E9D7F960AD6B79A54FC8F97114F2CB6E5B00D844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.552{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_dell_driver.yml.tmpMD5=9ACD1EE425C0FEA98B79E5097FA495CF,SHA256=9716A3AABB7A055707B37A2F730F272836A14F4C6608B91C208E98D23AE2AFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.550{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_susp_temp_use.yml.tmpMD5=A9663E34F3FB18D27DA4C458FADF55B4,SHA256=29C071BE69AB3D83FEF6BAA3728A09752915A11249A2F0D2FC4AFC6A4DF2C70C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.549{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_gigabyte_driver.yml.tmpMD5=BB1F87E9FE984ACAB063A12363D21666,SHA256=DB41537C840D5B458D42F1E5F3C7435C9C04EE2579FD8263850D8CDF36922F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.547{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_avast_anti_rootkit_driver.yml.tmpMD5=4311D34F67EFA77C2B71EC5AAB1F3E4D,SHA256=5838534F6F812E47BD78F7D93CE20B58BEB0C022D2A565B8A0FB721A37670285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.546{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml.tmpMD5=5D876D82817698840E4788D91FA00A05,SHA256=926EBCD93C79290890DC75C572900C8BB64220F05DA33532E883C5FF3FCADEDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.545{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_hw_driver.yml.tmpMD5=C96B49C8FF632FFA6D3C39A820704771,SHA256=DBB4E1DE73D0DA1F66871BE9B50C0232D404B6E7CEA68A18C93B42A455B8B614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.542{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_winring0_driver.yml.tmpMD5=02ACD3B39880C746C0895DAF63674DE8,SHA256=9254933B2C76781117128180327B0499B5DEE9B94E70247AA06B2DAABEBF76F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.542{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_mal_creddumper.yml.tmpMD5=2F40625C876E390D2057E2120D5D480A,SHA256=BB11671EE3E34E437C4DE1EF5231A230AE1F3976E9AD9F876AA9A369AF0B2D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.540{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\driver_load\orig--driver_load_vuln_drivers.yml.tmpMD5=3AE3F41AA9AA70D0A2547E936BB6CEC0,SHA256=DAC3B7F967142A4E4197C5B1E6FE61475F4BEF987B1A14BEB7E5784C8640CAE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.533{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_clsid_foldername.yml.tmpMD5=779BA5885816153A4A05334C8F88553D,SHA256=0197231E381A3A30370EAD967B5632C7BE68C42626EC947687A01161EACFB512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.532{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mouse_lock.yml.tmpMD5=E83417F67A7F7C5308FC9EB146E65742,SHA256=26025BD2D9EB7A66D6C6E7689127155A0D1701C0554E153F5B97D5791755BB08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.531{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rurat_exec_location.yml.tmpMD5=89AF779BEDC68BB80148A573D30C21C3,SHA256=AC098EF55D79D80F9EB44FDA570D7CC8F684EEE19E7DBE2D3CC9D16BBDC72F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.529{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_3proxy_usage.yml.tmpMD5=644C24B88B02E55BF96EA451C771FE85,SHA256=DC15E65B630D782C1B4A7B9A51C710F8AAA3915938705576E74309C00EFD88AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.528{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_anydesk.yml.tmpMD5=511513182E7559BD0DB4572F3EA38256,SHA256=C3CC334A53BF6A08D54F79AC6EEF6018828A33E72D99AEACF90D1A1F91C18007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.526{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cobaltstrike_process_patterns.yml.tmpMD5=108CA0B2A28233C174F652F3A81A8C14,SHA256=D1D7E9ECAF08A19D512C0E92B2E2C78B3C1C4B964699E0F86DB62E9A6A7D570A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.525{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_outlook_shell.yml.tmpMD5=BAB81D53D3533FADBB31259D72C6D74B,SHA256=4931B2C816CC317C060EFF80930FB2893E97F6C69427C0C9BB34A50459E30AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.522{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_shutdown.yml.tmpMD5=1281896493D2AA157AA398580F5EC3E4,SHA256=107020B22003697A401CF18838C3C44FCAA4B22106D8F2EF3630CE241D623A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.520{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sdclt_child_process.yml.tmpMD5=B083B363C8B8FDAE2539F352410BB774,SHA256=8DA08181A9CB4244C20E6D50747F98AFE8D5FB06F17A27A7FB66E706CAE5D413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.519{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ntlmrelay.yml.tmpMD5=DAAC0386FF4D91481DC23973E61C1CDB,SHA256=830A4B62D8DF084644E04C50F48DB9BEBE87C1A4786C8E97BD379D634430521A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.518{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wab_unusual_parents.yml.tmpMD5=7AE55A32A6F871CA6143773FBF922F32,SHA256=881D207AD729D3233E7F70D08926FA72F0741315BC4E8394BCE4127484280EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.517{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_inline_base64_mz_header.yml.tmpMD5=CE8F199EA78F0387E5720C1BEC3B7F87,SHA256=78972F42F3F80D79D47E68FFAE79A0BF65B7AA0A85F3FC209707BAE5C4126866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.516{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_unusual_parent_for_cmd.yml.tmpMD5=4F93831845937775A6C6AE9A72EFFAF3,SHA256=48FF3C7746A1E2FEDD4C9CE3B2F949158A51220EEB156B4E4CA74BF4F1972EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.514{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_acccheckconsole.yml.tmpMD5=0A6F9B77B446974376E5CFC678C81509,SHA256=7845722E104C1C35C14BCAED352967FF99D3D36F397324441552282C3650456D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.513{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ditsnap.yml.tmpMD5=C9D0D7142A08BB667589B29FC2B9F1D4,SHA256=37ADE18E211267842F35181079B81A1960BAB20C3BBD60E9EA0ABFA2A91CA9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.511{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_squirrel_lolbin.yml.tmpMD5=BBF294DDAA6E12877106E4640BA3CAE9,SHA256=B0EA8C83FB853488F7C9BA2C2EE85086783950D254B61EB6C95BD897A5B04C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.510{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_schtasks_reg_loader.yml.tmpMD5=DBFEC70927EC98ECD1530EC4BBF8C6AE,SHA256=5FB12D10633030E301ED3E2656DBED8F50529170E0DD758C075B2D09F3A871C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.509{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_fw_add.yml.tmpMD5=9E3FD3683B9F57F65126D8278A0AB497,SHA256=684CDE0A3576BE6A10C3A4E810437E9561F6EA8753100C3812BFDFB75BC88BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.507{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_advancedrun.yml.tmpMD5=D7F1D8B7699C40859383F1DE277FE763,SHA256=31E787999250F408051C60343078874892298843DA286F11EFB64F170ABA3574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.506{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE4CC16711079E36EF125B2EBDA675E5,SHA256=E79307BFF8083F9906B5D1B4E275D240925D072F07EAACD821A9D4E38353B1D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.506{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ultraviewer.yml.tmpMD5=062B0C7B95E8EC6A1ABEE179E84F1C31,SHA256=9DE4E29739F0E0F27773DE412D2B008F38ECE505FC73AC17E64790837D3DE4E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.488{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_frombase64string.yml.tmpMD5=D2443A087017D1A679DD7C2E83077F52,SHA256=2BD636693AFC2778445281C70A202D285832934AB734C6007B82A91FC755AD57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.485{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_evilnum_jul20.yml.tmpMD5=CE2328CBEEFA6E6E26213D5350AAB8F9,SHA256=4092B4D5078D9B76A7ED2D83E9192A3353BEA1FC2C61C7AF83105AAD5DCAF8BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.485{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37848E926B47104ACE656BF2F11B831E,SHA256=05A9E58F1CB41846CCD57400E7EE06D45A4F23DD4F364B4365261438FE796F48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.482{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_double_extension.yml.tmpMD5=04B487AF9FB6237A4582B2357E009AA9,SHA256=7D12281E72EAA41FA64BE10E0FC9D3898C21AF1CAB4BFAFC8851D7171AADE0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.478{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_progname.yml.tmpMD5=2BA539E1CEFE455360AC989ED2002F47,SHA256=4514C7F4A7CA57355227D7987049771C281A7BF77D9C0216C4BC7ACD6B1B0470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.476{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_procdump.yml.tmpMD5=16C3D115107C20CD7E28FE490720C387,SHA256=A7BD9C3F7F329D933E102658D9306127435325EBD9C31810DFA8D8F657713961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.474{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msra_process_injection.yml.tmpMD5=CB3E4199241D2AFC0DE14F852AB8419A,SHA256=3E3DAED8D8536F78550DFE119EF7DD8037E8AFC806696FA5576A64433096A294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.472{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_wmp.yml.tmpMD5=46275999852CE80408BD48AB936D37D5,SHA256=069E5F5284205CEB3239774AAA8329C8BC58197A87FFA8D7DF3D711D08180789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.470{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_script_dropper.yml.tmpMD5=2799DD4D931D0048AE1E0F671078D6D9,SHA256=A74FEF16302E09596F875CBC89A22D344C6235AB9C3DF53E85EEEF1E61757B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.469{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_workfolders.yml.tmpMD5=55D45181E18E9CFBC9CA80E3049E02A4,SHA256=A5017F4A073D4E4DD4FCB8EB8BCCDEF38C0D6255E1513CAE2BD6A36BF545C09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.467{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psexesvc_as_system.yml.tmpMD5=D8FE255965901CC7D7CB8C03B2E2756F,SHA256=4197CAD69C8B1606D242DDF6B0E8047BCC1AB39B376DD1C4747C41452DFD70E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.466{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_get_localgroup_member_recon.yml.tmpMD5=CE41904D337911EFB932B619776AD053,SHA256=4164428CDD3FDFA828D6F47AF9F0F8ED1CF30BF0C95E17B9D49FDF22C79A18FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.465{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_service_modification.yml.tmpMD5=DEB0BB1E8342C58BB0F6E7E9C9E58418,SHA256=EDC389ED17FD8B14B94D44F137E1DCD8B1759C7121924C1B0E07C5FE88320902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.464{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_ie4uinit.yml.tmpMD5=5AB85EC68ADE54E4507126AAC3EC6405,SHA256=652C7AE4BC05BE31E96DBEA9269BE9C41EAFAE4EFA5C1455588F0EDC8A4336BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.462{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sysmon_disable_sharpevtmute.yml.tmpMD5=C957BF5E99F1FF4CD77290829316CF81,SHA256=10EEC489A335639F9C7ACE89B0D895CE65D01F5E916C2D10426301748E6B9D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.461{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_office_shell.yml.tmpMD5=018B72B55E3E46DD96730A12874D7941,SHA256=8E9476C1FF645725982B0E9002EF8F476DCA81BA5AF58A793AAFEF046AB0EDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.459{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_greenbug_may20.yml.tmpMD5=E40D73C9AEF96C438315806F5CA3E20E,SHA256=9EE21833CA8E58F8D0DFF03FA7CC2BEA0A9908A59451EB16B8D6505C61A46AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.456{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_esentutl_params.yml.tmpMD5=9DC14B84F9065DB5647484EBBE33F5B3,SHA256=3E829896AE98778533A94741EA53B67FB7AA854DE696778F55525B302D4331E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.454{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_psexec.yml.tmpMD5=F312F2420413F81EF523C0C8967BB33A,SHA256=836EBF4FE24C91875FE24286B4A7EDC93380096AFF4F6EC21443D7F0B8DF9CB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000842261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.454{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000842260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.453{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000842259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.453{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_binary.yml.tmpMD5=3E4B894161A5DA13537B1BE1EBECCF7C,SHA256=9F781BDECD06903814C824FEC2168FAD873D594610D46450BEFA1CD9F3358D1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000842258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.452{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000842257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.452{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000842256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.450{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_no_params.yml.tmpMD5=58FF83F67F4C39EC28F7B124400E86BF,SHA256=E7C18DB3882D5A708086928F7039C7BCFB5A53784A34F4123682B60983465BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.449{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_visual_basic_compiler.yml.tmpMD5=08676704F98ADD4B4047B10F2EE129BD,SHA256=A35DDB1C96D963F852BA3FBA7B6DD7BBD8E787F6DAACBB8592158245B03AD0D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.448{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msiexec_embedding.yml.tmpMD5=8219DB0057CEC30F1390F70AE3353897,SHA256=0321D81C52FCF9A208469A5B7432CA7D4F159F7B2EED2E6688B378D60B9AF03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.447{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_lpe_cve_2021_41379.yml.tmpMD5=F00CB7825646446897383608BB0CB44D,SHA256=D92454C0574BC4F764F4C5E549D2B6BD22B47DAFBAA02CE281239244247A1311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.445{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rclone_execution.yml.tmpMD5=E75B487A35CCD9532566A02279B31D81,SHA256=864FAF84574C072878E2398715B288A8AECF35E0DEDF3D59D84C5431E4186BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.444{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_workflow_compiler.yml.tmpMD5=8301454282EDCE7512457EAC01992116,SHA256=83DBEF6F36298C9F29C2796A40B2FF921B3950C0893A508307E6DCB9337AA752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.442{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_net_enum.yml.tmpMD5=1BB7AC8FF40172350D2CC1B4F8C42BAF,SHA256=8225AC24D782EF1526A8E362A8ABFE38B78A81A749D28EFBBA2D17CFEF4B6E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.441{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_office_svchost_child.yml.tmpMD5=79AD780528C4820721BD8BE8619FD727,SHA256=9705257B3F400172EC70E9D3F49F0CB8373ED14F3D8C9C4359601771E9C5E0D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.439{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_pcwrun.yml.tmpMD5=26BBE32A17997AAD218DF72ED2E2666F,SHA256=A767756A039B56A9AEC4188B4F52DC1952643B0136696A228BDEA6B61179DA46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.438{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mal_ryuk.yml.tmpMD5=056FDECAFF6A2BB1238336DFD8657968,SHA256=23D12B6F807DB1D6F3084B3C9E6DCF3E8D6F8AAFE1411CA9DC12088BD5BE8691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.437{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml.tmpMD5=7740CD4FC7FC80380BA3368462CC5976,SHA256=0D11CB9BA55C6E3999EA69C06B26184EAD5EF3096DE03522066B84AC2753D10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.435{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hashcat.yml.tmpMD5=FCB69C03A519165EA94E65F65346BDFF,SHA256=B23A96CB566791B9EE105369C3DB021422138F98FD1E15238F8933ACF2498D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.434{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmdkey_recon.yml.tmpMD5=445B7389F3DB7ADBD83211A820D340EB,SHA256=F0DE07054841DAA946ADF57A01F03A924D0362F3EEAA1B08B564C27DF9E585AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.433{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_openconsole.yml.tmpMD5=A3554C6E1348553DFDA5619A7ED5B1D4,SHA256=3B5BF6F9F4B6255145AEC67B8279BB56258BE009F348B3F78E4F457179EDE8E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.432{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_remote_time_discovery.yml.tmpMD5=637F319E0A8AA97EACF3DCE5ED790DCB,SHA256=247C8CD3A7CBD3F944FE48FC0AD270B7100DD340B2F154A7E089099F883CE1DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.430{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_cmdl32.yml.tmpMD5=048F4FF060455A2DA4EE2E9F5763BDCB,SHA256=DCFA452832029F28D28241D326F3106BC40ED9ECEADB2979E24AB50703BE56C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.430{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_shell_spawn_by_java.yml.tmpMD5=64570CA8AAB1B6668E749B0039C80B2D,SHA256=EF420D99D139219D861E421C32CB9B8E1FA01F4B6C1C684C11790B7426BCC6AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.429{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_tscon_localsystem.yml.tmpMD5=5FDEC5509EC538011FC8349A5BDCDE32,SHA256=1445B29CB7A91D4FA035A2634D35F351F8CB9B21C26270182E986D87429010CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.427{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_c2_sliver.yml.tmpMD5=6CB4CE03AF908DBF46AF13AC4E5BE743,SHA256=017C119CAE2209868209486C1EE19E6C9AEAFA266F67A50A27FE6BE7294D42FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.426{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_hotfix_enum.yml.tmpMD5=1570BC2C4CB001298DAC55CE54333B6E,SHA256=C4196A92CB5A2C2FAF025D9497487B77DB4E0C7F035E546F985E25359DD101F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.424{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_whoami_priv.yml.tmpMD5=8CB02F13C50A7BF99067836C19457D3F,SHA256=D3245D438C442E60188B408B3F84D10ED13499E6EE084BC56EE8E5006A827B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.422{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_run_locations.yml.tmpMD5=E75B64696C81CF18FDD264A60682BFA8,SHA256=3582065568C800C19372560042F7904CB32750AC1552B074AA49C04740B94786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.422{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_renamed_adfind.yml.tmpMD5=2A34C100A177471171B29091F6285ED3,SHA256=0BE50A2BDD5E57A1D2749D49281B5AC5531E4744F97F61BEE6220638718EDFBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.421{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_dridex.yml.tmpMD5=CEF616B4B1C6EDA96FA3050D07170697,SHA256=29CE3CB864D2BE8D7E33AEC4CF2EEC2A58979D12E469A3A2049AF40A7510A568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.418{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_imaging_devices_unusual_parents.yml.tmpMD5=C927677F232C0B6FB718A4DE6219EE22,SHA256=6CCB081D7F777BB013D3BBA831D67BBDDF9195BA03F6BF992F90B9C4DFE9F9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.417{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ps_downloadfile.yml.tmpMD5=6E832FA5957520625D14D5AC2363DFF6,SHA256=DB9893112B4074A6BE543B140399A2F6583F68EFF87B44256D39331FE7B99829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.415{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_commandline_path_traversal.yml.tmpMD5=90AFD020357F4BF27B160096FE55F519,SHA256=3C29EF19ED0B44CC7F63EAB446810B35717220BFF4670FA0C34E82E4396BDAAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.414{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_frp.yml.tmpMD5=398699E995960C3A48C7E6B1FCF22407,SHA256=7403BEB688AADBBB715CAA9B716CED4376642F34688F030FEC21348B98243E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.413{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_pua_seatbelt.yml.tmpMD5=D9AD86E07617AEC0D47386606337DCE0,SHA256=B15CE002E9D0DFB15060B8299B383A0AE86CA0550862A277535DF4D28282737C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.411{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_packet_capture.yml.tmpMD5=001D9D01DA7668E147445196F3656F0D,SHA256=7AFBE41E97DD78D397549612E8C738DF298977D463777A976E1E411B50781DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.409{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_execution_via_winget.yml.tmpMD5=12AABC4162AE76C5DE93B1D0328AF2D5,SHA256=9A8C8EFC3317642A5EAE3761CA303AB491692B5F4E1DC1E285178A9B294D8A9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.408{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_adfind_enumeration.yml.tmpMD5=965C2DB81B3F14F8E399DF00E475671D,SHA256=5E1020A8A813751006F564FB94349E80370ED93EE40BE63C48B39A7AB7D2FD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.408{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_lolbin_non_c_drive.yml.tmpMD5=C4A1B6500ABEC681EA22E595195E89B0,SHA256=A25F4CC2676B4CC6A0275CAF30EEE2F0031BDA6D511523B99165CEEFB19D1E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.406{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_iex_patterns.yml.tmpMD5=88B5B5046F8DEA4CD57E21A3EC777FA1,SHA256=4B49AB2F51FA11EF73CC3CCF2E512C502769CCBA36993A8ACEF6D68C3F01E2EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.404{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_unusual_child_process_of_dns_exe.yml.tmpMD5=233EEF450A6F1901615EAD4C713CAD34,SHA256=A358A6B39FF2DA8A49865265C74E02E13AF5A0A4AFA00277CC17A47DE51BF51C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.403{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_curl_download.yml.tmpMD5=23D49E858BB6F811CE92E2E2A3A9DA5D,SHA256=E0184EB6C710CAA1F38AC838D1FFCAC828D42B64341D2F029817886353EF312F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.402{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_missing_spaces.yml.tmpMD5=4826C8287CFDEDACD9B213A14E0C4A8B,SHA256=EDC63A690F02C716EFC62744EA7ED857D76079189B120411B647EC597B4B9907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.401{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_tscon_rdp_redirect.yml.tmpMD5=6D640549EDB2F6B7F1852878C5F3EEAF,SHA256=DF119709A3C5495F43EFB059B23FD3FC3C8CD011D92C2EF8B2890A8D14961150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.400{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_pua_defendercheck.yml.tmpMD5=E96C97CE889F760E5B9D8DFD35B5B5B0,SHA256=5A2A6F3B34058180258629FA81093F7BDCB45313CFE78212F4395412D5652574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.398{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_non_exe_image.yml.tmpMD5=F948BA0594F8FD8CCFA06881E84E5332,SHA256=363572B153F4CC62F6DEA2B1F4FE7627731C84A92F8227181B8BBB39F8FB6612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.397{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml.tmpMD5=3C2A9989EF9248C0521B9825C55B3358,SHA256=953A8536F79DADEA8D5206CCC3C52A3C91F71B6A094C4921D9373D03C97AB87A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.395{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_sqldumper_activity.yml.tmpMD5=079DFA24BB082C462E7C4D5B0C4924C4,SHA256=DF5A5DF272E11BBCE4CC16F834A18076EBEE6D57831527C8D22230285070DDF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.394{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_inline_win_api_access.yml.tmpMD5=3D76E7A64CF742F1AFAD48ABC7F42420,SHA256=7E6D9B89358C715A96CC23B168D3DDDE4B77DF4375DDAB0ED394BF18DD9D1077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.393{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_system_user_anomaly.yml.tmpMD5=D3B25B95EE180B14222929B3DABB06AF,SHA256=5ACD507EFE89C15C10C844E8F3D289C0406C6E1F47733248C89135DDF15737C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.392{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_copy_dmp_from_share.yml.tmpMD5=981031D3A10128E1D81738CE176D0BCE,SHA256=9A005C9A0F898B7710356090FD8D29582650FBE5DFFB3391258B17857850B1E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.390{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wevtutil_recon.yml.tmpMD5=CBE337C1E7EC401CD5B8D15DF0630D29,SHA256=332110674DEE1F3FF788BC293A6C3CFF166E7C5C36B287F48D9A69C101AAF2F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.388{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_desktopimgdownldr.yml.tmpMD5=599BBC436366F739E46A65EA455F74F0,SHA256=BB2E9BBBF212DEA2BF64EAB278C53664033901CB5FA19F23B4C1AF398BDC98E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.387{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_spawn_explorer.yml.tmpMD5=E9B3FFDDC4E41D6C2F4AB5AC2B9DC9A1,SHA256=04A64FB5F936588F2AA3984D5BD5026D8B4331025A9556BD2928EEDAD370E392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.386{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_hostname.yml.tmpMD5=5B2D676F1ED7826F50482615C1DD16A6,SHA256=971C3F322DB4F719F903F5083A736602A0E07DE9F3FB9E34E89C9CCDC7A57508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.385{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_vbscript_unc2452.yml.tmpMD5=B9D0D1F43411B863EA86316B56EBED2D,SHA256=FCD40973D0A6B69C9BA5DA09096C99F4B4A930B6C7A2A1D5EA5FC15F9D74F682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.384{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_cdb.yml.tmpMD5=B8972545DD7B14C7589BBB4CF6B486AF,SHA256=CB8246D14FD2CB26C492FF59B90FD45A2E60CA6B4DA6BEF4C14B963CC122B80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.382{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_wermgr.yml.tmpMD5=31FDE1298D9E795C13EEC87216D6DEB6,SHA256=A087FA69517443317AF4DCE38677BDE3FFD6F8BEB79AB839D42D58F1640C84D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.381{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_via_compress.yml.tmpMD5=EDE643631C93E8819C1FB4C521CDD474,SHA256=8B50E1250FFB6F58BA5E38BD5108199F8E3B82D31FC815CDAAF1509B1824CD2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.378{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_dumpert.yml.tmpMD5=22E4ECE166FE42663A5A9E4804B9A855,SHA256=37ED340A9C2FD2A7A72442DBD922D34E3FE673C0653C39A684FD5E76E1462549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.378{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_outlook_temp.yml.tmpMD5=3A6CC87B7E0C25AA0C8BCBEF79A8499A,SHA256=D29D7CA925662516746B9E888511A499FD155711600CA6CA9755EE697981F43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.377{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_crackmapexec_execution.yml.tmpMD5=8D613FD70269E1FDB0C560B9BBCB9909,SHA256=BDC93D7A254A3188EFBF1BE4C67AC911AD77AD01B3AE3802E1A8AA8E76E535D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.375{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbins_with_wmiprvse_parent_process.yml.tmpMD5=9FC26AF44BF63F2B61CF0045117C2FBA,SHA256=5568611BC4BBAD4A1CED5EFF74B5FC726E98F08EAAB5D3E178D7335224FD8750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.374{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_script_event_consumer_spawn.yml.tmpMD5=24DA505E5A2F4C7B83ED9CEC3300C239,SHA256=1DD08EBA2CA01C6ABA09D77223A3C0C6D35BE53FFB0A14FFFE01B87ABD7E844A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.372{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_sharpersist.yml.tmpMD5=EB0F8516C90741626AD0CE8AA5991F4E,SHA256=3030A0AB8E67B61C6B2CAF3AB69350DD3541724C6D3C07A6638A77731336B1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.371{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_anydesk_piped_password_via_cli.yml.tmpMD5=FABAC71045792A57CD1D9EA6649CA7C1,SHA256=79B8F59505F4BF88AE3195C29C6B619CCF77E471CA2A0502A353AFF6D039F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.370{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_secutyxploded.yml.tmpMD5=2DB8CBD26F27A64DFBD579C0FA360348,SHA256=3C33BA9BB3648299583C5D508EEDACB079E6D3D7484D128EFF75332E910EC4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.369{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_silence_downloader_v3.yml.tmpMD5=F984F3DC0A11B42026950F292945A4DB,SHA256=CAEBFE4E3C4415DD80D3CFB87FBF58001B235DC12355DE670959B0309C3AEE61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.368{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_splwow64.yml.tmpMD5=DBC6741ACE4022A5321EBB2E809FB008,SHA256=83D10A4D7580C18BE050413210537CA0BD0B8CD926C43E2D08674CD2BB64792E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.366{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_outlook.yml.tmpMD5=0DF4CE6E1925D1FCC224E295134D93E3,SHA256=3B4C6DB2971E31897A6E3132614DAEAD35C67DD95F43031A71B310931D1DEFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.365{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_soundrec_audio_capture.yml.tmpMD5=A65A6F4545AF508AE5C4394B0F0F4050,SHA256=C9906C4C568D4FD4DFC3235C85EACB351AC01A73A4B0A8DF10214FB5BAA753D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.363{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_takeown.yml.tmpMD5=8D82387DA5E27A1693D8D6DECCB9FD38,SHA256=3939DCDCB91E497D8069C3DABBA18B0A4F6401F1D38FF3F397DCA58C3198AC97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.362{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_odbcconf.yml.tmpMD5=6D60A796C241F54C78B2F2EF2EDA4FBF,SHA256=AB881DDAD2FD8A9327AB0BE37AF7B30933B605E87A49F6C81B92CC859009084C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.361{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_add_run_key.yml.tmpMD5=6539C2693AE7301808674D57B2C90B35,SHA256=98CBD2B251F7F38BDC8F13AE26579AF0DFAD5071B1851E73B472FF31DCEB061F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.359{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml.tmpMD5=FC4BCBCD3432611C3802EC3EE3AA5CA8,SHA256=F343631DEFCA22699E70979E805EBCEA6D0D400ABC7A708C49AD445540650969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.357{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_via_use_rundll32.yml.tmpMD5=95C86E8BF2DD7931AE3F7B696B143C55,SHA256=6ED92ACD6A6246FD3892A732635D0ECD0AE1BF783B53AF5C2B1DB31E585F9AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.357{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_priv_escalation_via_named_pipe.yml.tmpMD5=81E634D9F92F7EC83395DDEE2173877D,SHA256=0A58DE99B2E4ED12658DA8082F8AE1F9400A0A551ED4EE5FAD871A4AD76ACFBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.356{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_volsnap_disable.yml.tmpMD5=3728793FA5A7DF5B04699884FE937CC4,SHA256=553C95C9AE1590597115E85E75DDDE68F8D844215B620E16E8CC294C00990573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.356{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_ke3chang_regadd.yml.tmpMD5=AE8DE08658FE8F438B3CA83FBBEB95B6,SHA256=7D98F58387A08675C1002B1CD96305931C6C5C3CFCF267C465C53189F80732B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.353{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_service_execution.yml.tmpMD5=7A80E65FAE5872E8D33722BC2FBA96AB,SHA256=D38BC73D9E7AAC33A8E53EB0A9D6DC6D7EBF0F70A81BDA125B11B77BA5539E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.352{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_indirect_cmd.yml.tmpMD5=5EF8089725791672C714BAB2BBE543FD,SHA256=E49B291EBB07CA88A68D49FECBE42C81601D99000AA87803DF0F6AA7445FFCA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.351{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_sftp.yml.tmpMD5=8A8769961C256D52DDE7C37BE2448485,SHA256=CBB7674E7FCB441E22DE71DF4EDA98BF7773DEDC1A7BD64E384B2D091D0BDF6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.350{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_shadow_copies_creation.yml.tmpMD5=BB1730F8C3368DF2FA2144304F8AE6A9,SHA256=CFD7DBEDAECE8B459AF5CBB571529A3B9A574CD24F51A2ABEB50A31FCB33F162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.349{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml.tmpMD5=1AC01C06332BE6D3205DC3892D7971B8,SHA256=33E780A0221D8BABD31B795BFD74267DD6BC3F9B6C3C18E055F5DD4D2B4C9E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.348{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_conhost_path_traversal.yml.tmpMD5=439CD83C0FDD9538258D6EDBF6373AC3,SHA256=BD19985390CE43802734663D0C2462420D77B0751EB61EDBBDA3D4B2FF5F70CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.347{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml.tmpMD5=499871820DEF4F349E70CA7DC717ED6D,SHA256=AB46D288419D3365D28897C4FC0199C9A7DCF918A7D94DEAE66CA017BE47D1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.346{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_target_location_shell32.yml.tmpMD5=9836FA92A047CA7B2C8E45AEA015DB27,SHA256=037125F092718F1213426C362DC60FEBF6A76CE2CE007A28DD6E3A93A1E36C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.345{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_base64_invoke.yml.tmpMD5=179FC200119940833546771EC8CA227B,SHA256=7B14DA5C97210C2A254ACF24A682DF5287B5772B6A0EB9128DD93C2CAD014BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.344{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wscript_shell_cli.yml.tmpMD5=BD77DD20041414E853D5E3482D3A1038,SHA256=C6856851960E868BE3274897DC2EA8E634668CBCFED38F43868185B05AA62864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.342{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_folder_combos.yml.tmpMD5=BCA048601572C6BEC446A9BB1F5533BB,SHA256=1190E354990E18BE30181E7EECBCA7E087203BBFD7A3AE7C78F55A16D2600155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.341{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_wfc.yml.tmpMD5=79DC1F054A43149223D3A5E8E55C14F5,SHA256=3F1AC111C9E17B21CCAFE602B892384ACC723C7E27A2E655A08CF824FE54CCEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.341{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_shadow_copies_deletion.yml.tmpMD5=CD7D252281F1B7909ACFB562CD802A16,SHA256=35C5591D6D6E6D639877108612C6FE599EADA2506E796AFB7715A956D7F8D0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.339{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_dll_execution.yml.tmpMD5=5B35292F3948B6CB743063A37B6C316B,SHA256=255F70F5B3026B317F3241F1B6AB0B60905ABF6344390ED09058C62908531F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.337{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_use_of_sqltoolsps_bin.yml.tmpMD5=6632CCAAB3313015BF5868E734A593E9,SHA256=E2BD5ACAA4A25F0C3C3C4797972455D6144C0FE195660FDEE608E7FFC65F3A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.335{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_process_dump_rdrleakdiag.yml.tmpMD5=A2C6CD0834045864CDA9EC8C33B0D8F5,SHA256=083E0BAADB8B6C45EA74F324E0B15F130C9505C1A5206544018BDD137C6B0984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.334{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_remote.yml.tmpMD5=868193E984C70966B2D447D5E5D84AF1,SHA256=B83804DA970C61D64B859D725F0BF1A860E6CFE7020EF9B2414FE0C8A106587B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.332{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_compression_params.yml.tmpMD5=1A49CE1855EAA286A36F766831A5EE41,SHA256=2F380C042C879F8B2E336765A2B2BA44139DE892493B814F322573E6FF6759A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.331{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tool_nircmd.yml.tmpMD5=DBDC3339ADABFAD8660BFAA7FC9EF75B,SHA256=009166293A4834AD9D15CAD799E44AEA590C7A3233CEE9EE9BE318ED01AA35DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.330{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_disable.yml.tmpMD5=C7C31562653C4048044707183E8F0CE1,SHA256=5A31C61E3E904F02C66B86F072A057B2C6AF2C5452565728C03D2FF1368E5158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.329{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_web_request_cmd_and_cmdlets.yml.tmpMD5=3A8D86CABCE35CDFF0131FB9280D0504,SHA256=F1814BEA912BA291966D964EB4F26CED05029AE835E7DB7D8AA1D98B6C4E5A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.328{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_rundll32_without_parameters.yml.tmpMD5=E9BAF0CB2936CA6CD9A63643F0DC23E3,SHA256=A3AD2A708D28883FC6070CCA3EA8ED64A1259660CAF050A680B43835B2B958AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.328{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_openwith.yml.tmpMD5=6A7E6A948993504E68EB99BF9E969AB1,SHA256=AB064DE8B1E24CE52DE945B0FCAC96D7F151E2A3A5BB8497877A7C575CD9B870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.326{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_mmc_spawn_shell.yml.tmpMD5=7639035BF6059120790301774B03E486,SHA256=7E1998427C200E0614E8262867B65753EE0F94AF8AEA7416EF9D4147BA32BA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.325{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ransom_blackbyte.yml.tmpMD5=E0B4E4999D9F9282D3CF27A2044BC30B,SHA256=ABFD6469BE5C2B5FF92F16471539DD69A4FDB58CF687F01F17FF51CFB88B5396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.324{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_atbroker.yml.tmpMD5=2103EF3A06B7C3E353C8FD8667DC2A47,SHA256=4911FDD08500A232688335D0B1C53240AA3A7429E582B82DA3CA5E757A3A15B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.322{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_printbrm.yml.tmpMD5=C809B5985EC5FF7973726A52E6B10780,SHA256=5C952E2B333D557013FD0450AF60DFE46067CBA8BC01B7AA1A88FFF917AA7BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.319{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_service_stop.yml.tmpMD5=9B8FF1ED54F7F1B0240B5C214C497C35,SHA256=3C38C1EDA7570C0982BA4077BDB0EB9C05F26A8B384D986607DF29B3A4A13A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.318{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sysmon_driver_unload.yml.tmpMD5=2CEDBB4B246A01C80D788DB7939F22C5,SHA256=7918C5CF0F0AD588D5BA09F045661D996837CE706BCBD7674F29496EE4EF8527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.317{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_schtasks_powershell_windowsapps_execution.yml.tmpMD5=6F09FE0EE1C6C2F2723FDE4C7578F3D4,SHA256=E66C9EC3BC0DCFA2E64BB881D865FFA4ED506BE62D8FCF064E0F0A3BE1CFFE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.316{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml.tmpMD5=BB8CCC49096B9DDFB6E7ECD3CFC23375,SHA256=A33BDAB5DBCA0E0EE51371458BEC2477326E49F95083B04A44922A62B63BD747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.314{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_trufflesnout.yml.tmpMD5=7BB7DB839AABEA86F8C4B11C83FF0F7D,SHA256=2A301E2ECB65330F0E00E341AE0B6C7E9523F3B64E4C161FC6447C9CEDCD1244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.313{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_impacket_compiled_tools.yml.tmpMD5=6704B2F88B4F78CA01C10D6C722FF1F3,SHA256=14E284EC0694BA5F46301C5DA31630DE70A6C06C92F099689D99D7B71E8C1C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.312{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_judgement_panda_gtr19.yml.tmpMD5=D24B1C2ABBCDE76FEA0C27951694E13B,SHA256=FBAEB613A487C5933308F4D1138FE3920F127AE4DF6EA2CA6CC07DD3D4666931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.310{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_delete_safeboot.yml.tmpMD5=0EBFC23A87C23FFE8A83582536D3DC7A,SHA256=EAD8A88BF22DE156E4B9C3E26C724892B55374722C43073D4BA44F39BCED2EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.308{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_network_scan_loop.yml.tmpMD5=2B105783D9A9616DA57EF49E7F1FBE3B,SHA256=8CC12089D0AD1C9D576CBCBDF583C1E0305FE80854E17A1CA96741427036C5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.307{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_pcalua.yml.tmpMD5=92B03B27858FF1A88917FF9DC12E78E1,SHA256=B570E66B3A65DC7F04B7051EB4B55F0154D870DD02ADBE1D18E830A095CB75DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.305{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_susp_wsl.yml.tmpMD5=0579FD1F9A20C9FEAD42826FA6ECF4E9,SHA256=5B9D3F1778C4A574EAE7DE3D1D6D097D4E3A63604531279DCC8E46A3F1DAD34B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.303{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_findstr_385201.yml.tmpMD5=A23D65D4C7034A28A903A9CE5700EDF3,SHA256=45A546C47EF566DCCEA72E41A2DBBAF813F23E4B104D17FDC249681EF31C310C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.301{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_proc_dump_rdrleakdiag.yml.tmpMD5=99A3A4817E92C870696DB75532BF18EF,SHA256=99400902608945955AFC776F4F2AACDE4BD2E3C073D7424828D3356945B1B582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.299{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_hurricane_panda.yml.tmpMD5=64B5D42BBAA37CA0AE19D7B18CDD99D8,SHA256=0D8998B1801DA8EC434C0419E80E0DC2816EA26E64E09DAE8A40332BB57494E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.298{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_write_protect_for_storage_disabled.yml.tmpMD5=25E22988030BA16ED66E8CCF8A0CCA93,SHA256=5B41196C6F1F95809F506323B84DCC0CBC773FE7983C2837C7070F7C2A6F5B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.297{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_regsvr32_http_pattern.yml.tmpMD5=96D3F87E09B5F579AC1861AD63DF4623,SHA256=657D07853F6DDE70B8D43ED3BF1E770AF066D76FA7CD9D0E6282A0A751DED525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.295{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml.tmpMD5=455C1C89EA75CC904BB63557C41B98B2,SHA256=9AB478C8CF6A7210641F77A827F4047003DE70D49851E195116A4F4D5868EAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.294{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_cube0x0_tools.yml.tmpMD5=3CD92E6D462082B47C42E0135C2E77E0,SHA256=18F0F0B6B5186FCB3B64BB86E6C9AE59D4C1BE1DE467D6972211F33B53ADE294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.292{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_node_abuse.yml.tmpMD5=4E2CCF1315E79D9A4772E59A6D565683,SHA256=A9311A526A821C1FD40E4D199B1E8E3A371EC9DDFE098B6B4869E971FAECE1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.290{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_customshellhost.yml.tmpMD5=57C79455F02F48AD70B47188E37C101B,SHA256=768F8988AC610E7A2A66AD4FB27114D24AF5714E50182726B12C21BB4CDD6119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.289{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_add_user_remote_desktop.yml.tmpMD5=014B52A809AFC00D9602BAB887D272DA,SHA256=D693B26A7E64798201763E296B705F813773A634FA314E1FBBAC3643BFC161FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.287{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_netsupport_rat_exec_location.yml.tmpMD5=33B78C9B37BD52C4B9BECDEDD622773C,SHA256=37CCD4198189DC84D06B22D789F33BC5931D7192E235BDBA2C90881202F4AC1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.286{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_lsass_ppl.yml.tmpMD5=BAA62293FE27EE7E087B7ADAA01147DE,SHA256=577F22C387E1E9458AE3956F5D720CFF0F83D2FBA2FD1B9EFA09FD5ABFB1B3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.285{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_xsl_script_processing.yml.tmpMD5=4B55A1783FB50D62DA243A2BDC14BFD7,SHA256=B6018D677DA71A910A9E27CB53F576093F058388FA7761202808BE4158EE32B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.284{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_iox.yml.tmpMD5=C94306811A945431429ED83A1DC30C8D,SHA256=9A9B11D94698E5A4FCF7E853EC4E3CBE7AD60255ED90AE8832036B0FE19EB40A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.283{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_add_safeboot.yml.tmpMD5=A52164413C55E585A5357C098710ABEA,SHA256=E8431D6BC42F880B032C030BC7C737D250F3EBA59595CDB22C5FEA4457265AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.283{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dns_serverlevelplugindll.yml.tmpMD5=2E49D2814F38BAE9AD2E2E86BB8A485E,SHA256=683149C5CF1D3F402CE9A521A7F14113E0008D82BA4D752FAFD86AB01053E256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.281{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_certutil_encode.yml.tmpMD5=8D384E9DE08BDA34D994DD1A5DA0AD6A,SHA256=C8E617F1A597B806217502BBD9280064071CEC4B1C3318714AE46A1D93AA834C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.279{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml.tmpMD5=B1EDCF1A0B5048AD771708F4659A8542,SHA256=9E98311B08DB34D629639ACE54022E2B723F0068D53E08667A0B28FFAD41B93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.277{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_revil_kaseya.yml.tmpMD5=B91A0B713D8EED6B498D5AD1FE39B58F,SHA256=3709926EFD58BA11FDE21DBEC38C2BB1AC483F130D5D4ECC8CD90C47898C37C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.277{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_add_local_admin.yml.tmpMD5=BAF54D3148E034D7BBEEC33C9A377AAB,SHA256=A6EB3A0CFF7D657EF48131F70AFF2CFC5B4634E0BA1005AB0B55CF33095A2C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.275{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sysmon_uac_bypass_eventvwr.yml.tmpMD5=0676A978370C457D06662DFEA0D489C6,SHA256=D503403DD01F4B441EFA67E75DC1F29FE12DE77971E8061F77AE0C1731489144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.274{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_gup_execution.yml.tmpMD5=8D30222B3C65C14F738E18A009EE345A,SHA256=8CB8A60B083759C6B50165F7FFBD81C94B6DD124B1525B5732DB17C9D328CEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.273{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msiexec_install_quiet.yml.tmpMD5=13B58F7E705A041312197E961145A9C8,SHA256=7A805317CB1D8E58ABAF5E5CCFECA59727FD80354C1D2A18529D6D03F86C3887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.272{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_certutil_ntlm_coercion.yml.tmpMD5=A2F35A6DF18E8FECBEB9C10AFFCAECE7,SHA256=D1BA6731E1D2E2B61567A304E516391B85005CD8F4DF242D71AB3826416FB28E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.270{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_process_hacker.yml.tmpMD5=972AC466D0F98BDB8108247C3C8C372B,SHA256=40FB3C15A963E953CDD5381C010D0958B369BBEB1DF2B88B4661613AB6B6E54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.269{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_cmstp.yml.tmpMD5=994C63FD2794947072B3ECCD6776CE20,SHA256=0E17591C00D51C041F7D8BE33A7B3F61632BB01FA7233C66CFFB924F905777D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.268{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_sharpldapwhoami.yml.tmpMD5=00F8AB0A5E28E79FA61AC59B2A28A984,SHA256=FE7164BCD2C7233D2EB21A8BB543F7B7F75931185B0094AB76C0D9E786816AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.267{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msiexec_execute_dll.yml.tmpMD5=1084BB182244478A9A5A64CBFB3A36C5,SHA256=6B79383E4605E840853192FE13551AA4AD0EF8CC7584F650101C1D2896D68038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.266{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_fsutil_usage.yml.tmpMD5=B10306A11B4CD1EE09F049D7FE029B6F,SHA256=96F0C99A15DF62157AE9175BB63A70DA4DFAEDD149821CE609F4843EB710E046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.264{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_win_exchange_transportagent.yml.tmpMD5=72CA17F252C0BEF79476547DB88BC38B,SHA256=68E190495AF29009E11B25911A8A61FA3FEB3D0D01F96881A1FED926CA1F21BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.263{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_net_recon.yml.tmpMD5=AED3134C42903CCD80F3F2682359BB9D,SHA256=CCAE6425811A48074776FF9CE48C5493A158C6C31FE25536E9C8B00AE6752D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.262{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_unquoted_service_search.yml.tmpMD5=C8C2FD14351A38FF47BD4CA32A039560,SHA256=5B2E087CDCD7E4C81FE56569ECEE762CC31E640CA88C38B15C0DF6C98C39E8B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.262{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wusa_susp_cab_extraction.yml.tmpMD5=1FA8ED36ACC417DBA99F5CDB47210500,SHA256=CEB47582772CA5D5671E2E0AAAD7866A675F1793873EDEB6EE55239CE564CA39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.260{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_attrib_system_susp_paths.yml.tmpMD5=FD7944B10A90DE69CF8F0F82F71A246A,SHA256=E9AEB756C86496C516B0AF9EFBC2BB653B6789A0913121FBF5B5C830E707E364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.259{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_wocao.yml.tmpMD5=D8BDD11055B36EC2FA23E55DC5DBC450,SHA256=20A5AE21E014557765A68B576C510F21DAA42F0BF01C68D23ED2570641A6176E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.258{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_regsvr32_anomalies.yml.tmpMD5=BC9964BC51226411AE7703177B827B95,SHA256=7408DA1B1B5EEBE26BD15BFACB5994B8F1E78B2558EBD4A04ABD7840396B96B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.256{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_cmd_exectution_via_wmi.yml.tmpMD5=5292460D862FF1FB8B8814CF4F69627C,SHA256=B44FDBB974FC0064BDC7663D1E3C50B7BDEC75F039D85242965A1C94AEFBF51C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.254{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_consent_comctl32.yml.tmpMD5=9F142A9C78B617C819A8702ED0587CB0,SHA256=D066B1C791D3A5E241A0379D5496038F4E1D552B7B5912D85424FD029258BCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.252{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_stdin.yml.tmpMD5=04762FF2776B1A0045660D8772DE19C6,SHA256=08E0E59DCEDB5D85BD48A504C90AB4EC0D6D6A2ED5892B52C9CF5926A4F5F351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.251{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_delete_systemstatebackup.yml.tmpMD5=9005A5BDC8576112A1B8665EAD5BE8BA,SHA256=595655BA339C5CA5B491465D7F125C234FEA8F3160CF1016CD2AFD1EDE84D725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.251{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_webshell_chopper.yml.tmpMD5=B0C5A04B6496FA4BF81144DB183AFCE1,SHA256=7B2A79BAE12A0462151535D3298EF48BF23B18F286141A6011FB24D8E52667D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.249{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uninstall_sysmon.yml.tmpMD5=6E06E5A9EF6AE79943FF97F91B1FE47C,SHA256=7A4884254B138ACAC610BC38E1A5A7D31D866B649DDE5CF96303892FC17B3574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.247{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_msdeploy.yml.tmpMD5=6C232A764BF3099602D40D3B13899AF2,SHA256=8069A91E45B97A05C484130CB827E76CD126FDA62C30496F3082BD09991E502E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.246{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_webdav_client_execution.yml.tmpMD5=B3941B4832ABCD253379C1DDC3B4A7DA,SHA256=786CB7F3837D0F79485450F27ACFBF1B287234C3BE69200468BAE022B4A34EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.244{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ntfs_short_name_path_use_image.yml.tmpMD5=2C01E79FA132BC0270BFFE0F71EE27E3,SHA256=493CA6F069F02E3B7E89AA7E2E460B4DBA0FBD67BD23B352FA629187D27314DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.243{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_delete_all.yml.tmpMD5=E70EE3B9A61D3D1AD324A2FC9CFA8368,SHA256=D55DF323883172CA60D1EE4901978965B783B553153A72C8F7AF97CDF68BE592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.241{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_sys.yml.tmpMD5=300DAD2911C5DDA0A538EAE7710402A8,SHA256=112DB57EE25CF84929513D13518DA3BE2F73C5672528A0B9B6A09CEA1FFD5279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.240{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_whoami.yml.tmpMD5=68F326D8FC2B7D0556B7DF585EAE70C2,SHA256=4AF29487F58C89BA3FAE42FA1179077BE6C77B32BE6234ACC5923A7161818F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.238{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_athremotefxvgpudisablementcommand.yml.tmpMD5=C20357D65A884548844D3F1E0A63138B,SHA256=B0AD18AD78572BE63250B4C94CB697B7933DE08F7612589FB612211901B1E9F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.236{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_powershell_getprocess_lsass.yml.tmpMD5=65A08620A33F386EDD3E0A948686814B,SHA256=A0A94081BF1F133E86FA7279B00CE8BD296DEB3470CEDE9D7A560FA28A394FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.235{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_explorer_nouaccheck.yml.tmpMD5=6C25DA76FA0663F73E1DC6205917A87A,SHA256=7B1A913AA5724AE2A89A5DBF99BA7CBC9C772F8B7C93FC5C181D126910803A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.233{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_wmic_eventconsumer_create.yml.tmpMD5=B5688FA2EC997646B6615FF1B078FBA3,SHA256=0E0CC893DF56FC6AE8C824B4D97A59C4AE6EC1556392E233F79592CFEF13B1EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.231{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_embed_exe_lnk.yml.tmpMD5=4D9BD46DBBFFA385F9E5677DF07489D7,SHA256=E6F67931EB916FA8C4C37B35533D5C118AE340C39C2A62EA2070F0E903F246AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.229{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_winnti_pipemon.yml.tmpMD5=F60B9A5B1B7C8940CE74AAC72022308C,SHA256=04FF4C0E4C1C6FE3D0AF8EABB1DAEB0F5E357E023818904AA3FA85EBF97EA3A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.226{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_regini_ads.yml.tmpMD5=98D8107EDFEC58C71629A0CBF1839AC6,SHA256=040ED8174F2EB2EECDDFDCA11DE796FEE2F053CE7203830DD4D23AB21322173F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.225{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sysinternals_eula_accepted.yml.tmpMD5=92E30ECCFF2BE735E3314DF051EFF1BB,SHA256=B5B9F337861D40441784B727F64828674E97D70F733F20FA0D43DE52F3E1417B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.223{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_clip.yml.tmpMD5=9973D3DD490375F7FF93DD653BEB7C90,SHA256=9B12A1898A5A77CEEE691A29A81E05459AD6E290274A010383BE6C9276C80774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.222{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_findstr_lsass.yml.tmpMD5=01C453C7A8316EB9D4E2AD5A496D9699,SHA256=F2D5D465F0E07989A808529C7756C4DEB1038A0AB26EAAC9A97B579F59F8DE7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.221{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ntfs_short_name_use_image.yml.tmpMD5=C694802F910E245A4791FEC8141D64C0,SHA256=8B45697F0C015B9A65E8488932BD80355269E75D327ECAA9D5927579D20E75A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.220{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_exploit_cve_2017_0261.yml.tmpMD5=456D1B02580018B406E37E59DB607ED9,SHA256=36E99DEA435DC78AA5591F94DEC2D4ADDD2558DAF7A9D13A8DD1F6F4E3D3AD17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.219{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_paexec.yml.tmpMD5=50545A16D2ADD0B1C9C84CA51B392F95,SHA256=D551D9F4D2A96AC67065B3661DF48E3FE8F46D80461AE2FFBD35AC1C577CD335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.217{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_service_path_modification.yml.tmpMD5=D090837627E7E67CFF10AE47B4CD9C8A,SHA256=495FEE89663BC27390FC4594CA7732AC35A50447BF12EFFECBEA7893AA6F172C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.217{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_regedit_import_keys_ads.yml.tmpMD5=BDF45F13E553420B21CE6531B1DF792E,SHA256=2D0635AD1D0F5FCBB77C84F1E60B5A1EB2862A8C0FBD544DD0659E7EBD33611A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.216{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_inline_vbs.yml.tmpMD5=9578F1573691483AEEE7A4F609927BE6,SHA256=9255838A41B8C4C7DA5BE299B46F2E531F49D8B60D9F529443D19D1512058438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.214{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_net_use_admin_share.yml.tmpMD5=B6A7AF4951342FAD01378692B1F1FB00,SHA256=73A0E6518AAAC3C79436841055D1BEAEC81B63DB77F3E83B6748163F2F9F1490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.212{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_ilasm.yml.tmpMD5=AF520C1B36298D916ACABB2C795E20F7,SHA256=50A87C89C60088ACCB9BA949708A13D33CF2C841A969EBBA8476768FCDEF805A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.211{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_schedule_type.yml.tmpMD5=85435D9B2CCEE18C65BC26A1866004E0,SHA256=FC294C4B28266DCDD2F86A93D7D4B729867CC20DEC1AD23D8952EE8C8D62B57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.210{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cleanwipe.yml.tmpMD5=46245996C27C984F4ACFC4015E15D27E,SHA256=78ADCD89EDD318CF2DB0C07C1362559E4C5E7CD445BC02F2C91F4C7C47E6F864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.209{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_disable_defender_av_security_monitoring.yml.tmpMD5=A9A6D60D270D3480D448033DB5019F20,SHA256=7B72C0A01281C264FFAB12604CC5D1C961F54D9DB1454D9120388050DEEA2FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.206{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_logoff.yml.tmpMD5=3D0DA9CA2E7EB916BD06179A536D25A2,SHA256=EF5FD57B21CC80BE68D4FB0D688F0192A37216BB9493FC0A1526A84739018975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.205{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_handlekatz.yml.tmpMD5=8C6EC7D00B95301250B1FE843C1F1407,SHA256=877A40684BB09E62A458C2DA84BBEF1FE6AB1B65A8D9B801568F1F5DE4DF2D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.202{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_remote_file_download_desktopimgdownldr.yml.tmpMD5=5259734577FA58D7A8A9E13856901D39,SHA256=B13F63BBAB099FC324BAD2544F68CCF954D1824AF53733B6F3AE9FDAF9263B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.200{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_formbook.yml.tmpMD5=9091B25C6473BDDA4D779D5C9BFFA45E,SHA256=FA2EDB974FF7AA27C610D4FAFA5396851E49DF5513D3484E09116C913711E4A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.197{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_crackmapexec_flags.yml.tmpMD5=DD184F4021D3564AE007173C303082D8,SHA256=1B0A5886E26101A08E0786A1867C7154437E6752A58C41F01D38393C8BD9EDFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.195{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_procdump_lsass.yml.tmpMD5=D256E00642CF47DA8EDE6B4273BCB69D,SHA256=3EA1AA8A8B0A8B297AABD33D7C1A3C2D66772FD7D4B5AA07868A82B0C0E75A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.195{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_emotet.yml.tmpMD5=7EB14D9F06D27A089A418F6199BD751E,SHA256=23EC25D045CA112E6EC728295B3A726635C01A012B29CA2262E152B10A982411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.193{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_modify_group_policy_settings.yml.tmpMD5=DD2A5C0F4ECAE467AB3D5DC08BCC3BA2,SHA256=27ACE9E6646F9C76E25D757422C26BEADFAE6B41FA3828402FADDFA9EF443C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.192{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cobaltstrike_bloopers_modules.yml.tmpMD5=90AF14CC6DE4CF23926DAAF4BAFEB62D,SHA256=A7C928DB63790FF4584E6BC7EBF9629AEB3C18B66357A649047C474B3F9E5FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.190{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_child_process_as_system_.yml.tmpMD5=58CBD3339816A3466545B65204CBBE42,SHA256=15BAB4EABA7472B29708E9882C060F379F3C17E3D0599C6159EAA7AA23AFAE0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.189{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_tool_nsudo_execution.yml.tmpMD5=10846989B55D7C3419723F46B67BAA65,SHA256=3C0418204119FCBE99B0AB5FFA5312ABBD7540A9588B1B7D42B9325C5BB7CB4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.187{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_dismhost.yml.tmpMD5=4941938A02E8D5119BB7AD36F9EE352D,SHA256=B94803484FF2754855DE4F9B95585090008288EDAD72A7E835967B4C4D106FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.186{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_shell_spawn_susp_program.yml.tmpMD5=7C7226F980934F29182C2B46BF69F72C,SHA256=7655FC28B3695A7EAAA0290891BEB834F87C2164D92495A0CE43202328A75486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.183{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_evil_winrm.yml.tmpMD5=B5F7BB2F007CA3D3D2779F7EBFD2DC34,SHA256=54C665103D5CCA1EE1E7469265D205FEAA03F62F5DB278BC52FA2997852D1733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.183{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml.tmpMD5=614AE61AE87F759FA93702CAAF08CC95,SHA256=77501D60A93F94372E89A7D6C4B56B1BE35759821A96B086DCB9F7D0643781FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.181{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_microsoft_onenote_child_process.yml.tmpMD5=6BA7E07E6C1E92663F05B1795B3DE21B,SHA256=5E4CF7C178D5F41A5E9A733F6494E156D3BB75B71248156BDD03B2BEFF6EB916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.179{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_remove_application.yml.tmpMD5=ED47E19FA9E827B0DE6A0627112F02DA,SHA256=11326F0207C771777F4C2EE4E7C004174598C9FA036684CAA8AA33C98A9162B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.177{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_mustangpanda.yml.tmpMD5=88BBD2B50D20CD4FF41187B15041BB0B,SHA256=513C2A16C47F4EFCDB0CC3B148C7C6BE15D934AEC704ECAA29905743246E820D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.174{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_office_spawning_wmi_commandline.yml.tmpMD5=4068200CBB6051E497CCDB58A3F3611A,SHA256=60F303427B3E68B9B3DC72EC158B9D3E9F6ACE5665DDF70F71BEE053BE137428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.172{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_anydesk_silent_install.yml.tmpMD5=A76EBF40107A483D482260DE55E60132,SHA256=22AAA04F85B7868D5785F022BCB5CA26DFE2AE73786A607D0D22ABEE064B0953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.168{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_ftp.yml.tmpMD5=2C2B8C2746F7C30888EB47EE707BB774,SHA256=89CA9CAECAFD9CBB3EEE653068C972B8D207B848EE6D37FF4C8A30CB27FB488E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.166{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_redmimicry_winnti_proc.yml.tmpMD5=8AA930B3859ABF981ABA12A0BC48369B,SHA256=3562389871E727B6BBC45A4CDE069894159C4748E5793027145EA14DDAD9356A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.164{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_cleanmgr.yml.tmpMD5=1466E048CE62874853296E73649317F5,SHA256=0C3F15C0FD8449D59A6075081672524DB0BA495CBDC0729634363517F0A9E401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.162{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_uac_bypass_pkgmgr_dism.yml.tmpMD5=95C98E693111EDCEF41AC15AB8BDDA7E,SHA256=F4C48053FD79541CAB3F95568BD112E3F7832B43B21D2C523321201B2EE0E878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.160{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_gallium_sha1.yml.tmpMD5=6DCD697D8035BEC9E2F4ECF85437B177,SHA256=3C9A0D51ED79C10D19D6E0AC92F10CA3B1351752837345907E87DEB911E05CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.158{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_data_compressed_with_rar.yml.tmpMD5=8165BFAA76074BFA03E4FCF21DCFCC3B,SHA256=50309A6E72A8D265B56BA17CF1F2AFC42430B1EDD20E2B49F4CA31FC7DA3BFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.156{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml.tmpMD5=7FCB12AB8AF4BC4AB1FF6F26FF1ECA6F,SHA256=FE2374C86E555C20BF8679CD6B1C471510662DC0BD1FBCE8A305D80D67AC761C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.154{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_reg_disable_sec_services.yml.tmpMD5=2A1719296E0D53180D46DD14FDEFC9E6,SHA256=3C22B5903BDDE9593ED8724A690CBEB9316910318DB7B5577FEAA7C654271597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.152{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_new_service_creation.yml.tmpMD5=5BE943E74EC95965B19A83AD025891CB,SHA256=C493159D40F2B6CBA2D38655A6C0AAC46B3872B04B6E58DD61B82DCC6140C887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.151{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cve_2021_26857_msexchange.yml.tmpMD5=3C52D6F4F1807AC0D604FEAA96A7F39F,SHA256=22E80826B78F504CFC599D87A2C10A1F4CE4A5A6DA04DABCB2053420E7A6710D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.149{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rundll32_by_ordinal.yml.tmpMD5=75515BFDB41A60D24EE7BD1D85129877,SHA256=0C5084C1960D1DB0A7BA26146EC5804FDE00A3E31C07EC10286F5397D1609DD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.147{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_creation_mavinject_process_injection.yml.tmpMD5=0E4F72E31504E4A91324DE2821D2C62E,SHA256=E407F54F72C2E3895C35A71CF8ECD1637A6FDF4133731827A2B1AFCE5336075C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.145{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_html_help_spawn.yml.tmpMD5=109F2BE0684CEFAE161ABBA32C74DEDE,SHA256=CD0E925CB4442F5CD34F2877E34C5E2D3A8D89C7AD119D8D3BC048C5B9172237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.144{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_mpiexec_lolbin.yml.tmpMD5=8D3E7F73D0764CA549FD1EAF27637ABF,SHA256=C8F166AE024E4E366702F8CF15EA37FA291C1BBE8944F1CF655E05627A8F19B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.142{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_parents.yml.tmpMD5=CFEC4C6361B9DF0EFC6E09217E3D663D,SHA256=C65294027E10CA5F01C1F01D5644E16EB48D231078A5E45FD38B2992A8E142D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.140{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cobaltstrike_load_by_rundll32.yml.tmpMD5=D424EF0472A3E437A57FA6D403B26838,SHA256=43E1A096FA54ABF9E5EA10204C023A45402E016C1E2FA5BFF46526AE978DC1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.139{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_webshell_detection.yml.tmpMD5=C49D0A95F34F6049BE5AA24D87198AAE,SHA256=E339EB57E0DB818AA15489DE14688289265D89992912043DB85517194641962D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.137{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_false_sysinternalsuite.yml.tmpMD5=1376C7D1AAAD7ECFB10D1A9B22B823B4,SHA256=73AD509CFEFDAF5EED882BE0EDDC539BBFEA0844E6A72B6AC59088DE13B2AA37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.136{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_downgrade_attack.yml.tmpMD5=F20431C1268ED2C581A1B881285A6A94,SHA256=D51032CE13856531E0FC90EBF154C2D07B4103655114D2C654553BB4C1243DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.133{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_pcwutl.yml.tmpMD5=0CC1CD0D2D05EAEE078E8DF789E087D6,SHA256=764D3C72F9DDD69B1743011778F5540F2D6A04E9C07B73D87388CACC0FAF75DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.133{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_shell_spawn_from_winrm.yml.tmpMD5=8894CE87BB26B85CB5837E0FC2E7D0D5,SHA256=84607D8D3D3B56A8EC2D7BE23EF68E5532D24CA6A78AEBA8736B21BBCE5AF616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.131{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_var.yml.tmpMD5=CB5D6E4270290F56C7918A9A56F16777,SHA256=4B8324DEC048F699BCFF13FF3BBE9DE0BD36A16514D1FF51ED45830005C87EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.130{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_msiexec_web_install.yml.tmpMD5=1EB76705D778D58417E5818068E0AB96,SHA256=6EB6A2CD1D7E13AD389B29F80434141EFEBA59288F636544BB6EF7CFF6D461CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.129{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hiding_malware_in_fonts_folder.yml.tmpMD5=9A2EFEC5BD2DE5976B650DC129D38C47,SHA256=3E5F981D8A3A372164DF57DA5569B361FE3867CAE5840AED6079D2130B58A1D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.127{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_vboxdrvinst.yml.tmpMD5=AB6CEB40757EFAFEAF11B0BC227D1B22,SHA256=ABCC90AAC64734D82778B2D1C1712FE503882B02D09179F4156D568357D625BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.126{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_attrib_system.yml.tmpMD5=BF77FDE312C2CA7BE003C66E95BC95B6,SHA256=4BCA02FF2FA28E38EB106F31CF07EFB689E9CEB1E2CFBD57AA29F465BB8DCAFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.125{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_office_applications_spawning_wmi_commandline.yml.tmpMD5=B0C077629017832E0F80AF8ED4C9BAF2,SHA256=8D6210DA6E0533D280DC45701F3F9BE5E4675400CC8FAC1D75A2F204320D0A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.124{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_invoke_obfuscation_via_stdin.yml.tmpMD5=1E9BEDA3FE82062812FCEF7394A149BD,SHA256=65222DB3BB57BBAF86145541499E359104275DD0B871426FF11585BDEF85E54E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.122{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hh_chm.yml.tmpMD5=9F3A580327FCD26373D70F1B9C3F3B7D,SHA256=B35D4223206AB854874B5A760587CFCC3680860EF249632E4BFCC8C03F89949B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.122{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_certoc_download.yml.tmpMD5=347FFA7826DE02DA6C15B96C497070F4,SHA256=083D67B21A10FFD0DB76A415BC5ED89F57D2A215167845D916D4EB6FDE7AA3A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.121{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_susp_parameter_variation.yml.tmpMD5=1272A1AD106CA76184D878DFF2941561,SHA256=571624B74DDD951E2AA42711A503E3059F351609372ACBF749687C63CCC96075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.119{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_audio_capture.yml.tmpMD5=F571DE2A6F77BCF2EE52E4E144A9325E,SHA256=116062DB8CDC502D9D552D3987C97A44CA753A58A2E3C4AFB541B64289A9ACBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.117{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_lazarus_activity_dec20.yml.tmpMD5=50B2E7A3FD9FD89ED70A350E3B6DEF4A,SHA256=DC0C065CBCFE7E6E0A8542D235B1148AE8B3C0EC2A315D3E02E116700A620D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.116{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rasdial_activity.yml.tmpMD5=DC923785FBAA39D3CD7ED1F457E306EA,SHA256=43BF3AE6897B044ECBF891F657CA1C9B79C6279B4770464AF76B3ABD729CCF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.114{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_regsvr32_image.yml.tmpMD5=CD89BF46A6AF4813B73C98D1C12B3576,SHA256=8AB98034A3882B33B19DB5BD87453EAE5B08BE1C36C0665A76B34FE2B0F3A470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.113{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_renamed_debugview.yml.tmpMD5=335B65102F84BB0B726B9A42F62AB9D6,SHA256=442033EFDDA164496C2B2BAB29234FCAE194C27562210C80259DF21A154CBAC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.112{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ping_del.yml.tmpMD5=AB2FFC33354A65DEB2A44F4E4447605B,SHA256=7F0C4ECC343D09DC4CAF3D8B610232CBB6C8C5F01D3C73E0249061CEF5328AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.110{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_msdt.yml.tmpMD5=4266FA6D55C8DD3E6A79C12DA1EEACF9,SHA256=80B118D0F67E423EE5ECDEB3EB507EBE4330888114A40461CA0ADD185D76515C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.108{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_krbrelay.yml.tmpMD5=3141311FEE9D80E57F4B755EFA4B65BC,SHA256=9CF57B2F870059D95E5B33800114ABEEF49A2FB602F2B4FE1A206F60CD391BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.107{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_using_set_service_to_hide_services.yml.tmpMD5=153961CE3EA90DA5874EE195DFB836E4,SHA256=17BD8AC9C63DB5D3824859FB8155664E131814640247A4DD65BC124EC2EC4A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.106{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_jsc.yml.tmpMD5=BBBA35536AFB550F94D091DA0106E6E0,SHA256=C053AFEEF8519EDE3F940D5CC03B350324D1B1A3561492FEE0891302AA0A222D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.105{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_tasklist_command.yml.tmpMD5=568FB5952759D6FC49E7792458E16B8C,SHA256=84FD4BEE35F06CA719A0D222D3C0F5A3CBDFE601FEA958F6EB84FF90DDDD1B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.103{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_malware_conti_shadowcopy.yml.tmpMD5=F0913F28F65B77CA92609032C53D308F,SHA256=4A58434130FE0F28B89D9E9F9BAC2AD4293D56331AA86499625081E4105142A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.101{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_root_certificate_installed.yml.tmpMD5=E98024B2CFC69869437DC9AECA40FA5C,SHA256=2AA418F1BE14F40C1555523932328D4BD5F1E8F7FF78FADCBA14571D15333FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.100{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psexesvc.yml.tmpMD5=9FE7166ED0A6754BA174D9A8E38FA5C6,SHA256=5309E3B32F05BE89103D7ADE7BD07A60E1BBEF8A875020D291757576A6182DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.099{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_conti_sqlcmd.yml.tmpMD5=CC7A75831A4B79D535274F74A39D501A,SHA256=156738DA9F88D2F1BE82DD48EBFDDE76DA7E4EC717547D8888AF62DEAA4AD4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.098{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_ldifde_file_load.yml.tmpMD5=354062B9C6C514A2FD1B106EEA0C5F9B,SHA256=E0077D6BFA1717BA11C17BD5A10233FF9FE4DA21F0811C20C6D208772B7E74D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.096{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_stordiag_execution.yml.tmpMD5=4A99D2294E9735E3B7E314335F011104,SHA256=68100767E69073E847DF8E17864E288D8565DA01CD4129028CC9C21D146E1E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.089{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_xor_commandline.yml.tmpMD5=642C2B865A0C033496F8D94246AF7C72,SHA256=BE382083D95BC9F65FE84B4ADF649E932EC58F0EDCE3A0593EC2338ECB2F60F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.087{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_wifi_credential_harvesting.yml.tmpMD5=DB540A38E1D92ADD9157CA3AE02DC733,SHA256=C6650D9145CC0419E72DD03294E1630E26D59EE306C07978495EF1F5EB929036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.085{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_rpcping.yml.tmpMD5=2E14AD93B63CABF70DEF4D74FBA6F22F,SHA256=5BB9CFE092510CD3A763348BE921C8B128D01AA58D7548F91C4DBCD983FE45EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.082{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_powershell_snapins_hafnium.yml.tmpMD5=D31BB572BC49AEFD0A615C135E463AFE,SHA256=18B9A3711EB3D1565D94407B4221030AEA6FC60F8FF96EE74DE2A80F0EED0E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.081{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_replace.yml.tmpMD5=4C20A7D4018C8D31C7DA0D6E6A52372F,SHA256=259A17DE806D9AD3279DEF8334C113C301B3AD9EE65957EA6374FE5F36C5FAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.079{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_file_permission_modifications.yml.tmpMD5=F8C8FBEE23B67491300944658AC15FA0,SHA256=B6661422874119CBBF9B49064A74A087BB0C14C74F52847DA74F345F65A8D9C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.076{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_asr_bypass_via_appvlp_re.yml.tmpMD5=655E6D2C97188F5EF0FB50A506332BC5,SHA256=EBF23E5F6F91184526C6CD94B3AB5221D00432CF2F3AB170AB965260B8ED7123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.075{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_turla_commands_critical.yml.tmpMD5=329F34A0EBFE1DC2C42EECAA1BBDE14D,SHA256=631D968B6980993C668565EB85643857564E1F1CB75435618F0F46FDE7C805F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.073{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmd_delete.yml.tmpMD5=B17812F2B72013BEB8D83718FF89BD7B,SHA256=9A33DA025E14D24CC45B7C1AAD5234EB78798BC1D977441A1B6138A3D13879FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.073{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_netsh_firewall_disable.yml.tmpMD5=1AD97ACA5924EB571C2740C3AFB932C7,SHA256=BADCCCA44165E232022C3B7E3EFB1AAA729099612BB30929A2802C347E4E0BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.071{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_radmin.yml.tmpMD5=95B3D7ECD8C6EC761BE998A328BE51BD,SHA256=DE5C575A8E2E6A91E1C573594680CBF77B21AA3D1A80A5C7481FB7B2314B7219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.070{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_dll_sideload_defender.yml.tmpMD5=E9976DD509A45D9FF7F2E315854F1357,SHA256=024F1C27DB6857D8FF344F137E48CA5B99051AFEED5B56CE5BBF5BC752B6427D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.068{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_chrome_load_extension.yml.tmpMD5=F7133B68D5EA37181DE680BDB512086F,SHA256=D984ADCFC66B744F94C3D1775F60357512FB91A1B22BAFD7C7B6470FF3673A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.066{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_csi.yml.tmpMD5=F37108BFB7D3B3BE47D3EE714E013379,SHA256=54B778FE298374125B040E5E5CD6944CD2440FC67FDEBEEFC0D4AF69E982B68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.065{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_expand_cabinet_files.yml.tmpMD5=4EE3EBDE1EC8C1EBE9804EDB4C001487,SHA256=DA935264437372EFA8325ABF95A9C20AB5B16E7625CB6D28EA0E5D1A00E87316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.064{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_vaultcmd.yml.tmpMD5=C6C9B218436D4DBA3C014A27F96452FC,SHA256=0C33EC6B460FE3F9A32DC8C199632CF9921525DD97943850F1E0D8B12AB91CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.062{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psr_capture_screenshots.yml.tmpMD5=4AB91A304ED367B43E3766E24DE0AA0F,SHA256=9189AEA3E6223CF9648BB2A602D1325537287A5D66D5963C008B11E70070446C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.061{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_fw_delete.yml.tmpMD5=7ACED379E8475BEDD14389D5CFF6C068,SHA256=9F8E9A8207EAB0A980DE8FE13AF2DEF0E6E09C232F5FEB9FFD413656183481FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.057{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hwp_exploits.yml.tmpMD5=7AB18623EE518CACC5B278142F3F6462,SHA256=89264BFEA28CA0EB1C1025709264DE37C49CBB3930A1362349E181517A5F7099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.056{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmstp_com_object_access.yml.tmpMD5=8800CF744BC0605E3BDCC62A8A67471C,SHA256=A74FB784F930E0428B9995E4F127A5CB0FB972609BCF1021B7AFBA99FB775182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.054{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_encoded_iex.yml.tmpMD5=1D6CE17EA24CFD2AD0D2C38FF2F4C1BB,SHA256=9A99BF7F552166F5EFD15C7BE5E36053EE0246F18B1DDAACB95FE4BCC3BD2F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.052{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_hack_adcspwn.yml.tmpMD5=99906240F8504DB0C0C6489059111EE2,SHA256=96A37C8910CA0B161E2E2FA7ED34D4445361462A8B8648150C69749898390FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.052{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_dtrace_kernel_dump.yml.tmpMD5=16D6552CB28A11F31FAEBA0876E7A652,SHA256=BD42497C6ABE4A890BBEAE192B3F1DB51D8311E3E97CAE3546F6E029B27B502C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.050{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_slingshot.yml.tmpMD5=0540D208F2C6FC94B5C3A2432E6A484D,SHA256=C1326ABFE6A70C86F95BE8F4859AE61CDA5C932BD40769F0D54408472430A357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.049{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_esentutl_webcache.yml.tmpMD5=89A251CABD49C0622F8938C5AF90D313,SHA256=1596BB88F73B2A41DAE522036A56B7E7CFEF5138A385038EB7D6DA37D63CA32F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.047{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_pubprn.yml.tmpMD5=F8BA58C6DC3622AC1CDFAF45A2AED705,SHA256=1D6659833FD153EC739C1710D7AE70482FBACADCF3A4D92DC0A3DE54CE687AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.045{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_lolbin_wlrmdr.yml.tmpMD5=4159069CB9ABF0D1C13C401853394BE9,SHA256=8A7D0C9D63AF20EED91CB74B7F5EC49FB886639AA5775E98ED381957698813A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.045{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_cmd_redirect.yml.tmpMD5=6524C9D7FDDB9CF9204CCE8A4D9E2B87,SHA256=EA5CE02A40327B17F19A35CB2D94B485C8AAA87F6E161EDC950C288A54434A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.044{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_reg_import_from_suspicious_paths.yml.tmpMD5=A1F46246F310A55BD74B11D7F1F98F07,SHA256=8474E5AC415E67AE7C6215C413BD65B5439F06402F6D33BF1A2A60703D533476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.041{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_wmic_remote_service.yml.tmpMD5=768E415C739D172AC97CCCE3929F72FD,SHA256=FAF490A9769567E3F5B16C27C853C30DF31F268988FF503234C88B9B18DD3B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.041{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_procdump.yml.tmpMD5=B9ED205A526DC6FCED71FE388A87903A,SHA256=3DA6A761B6016AE69167DFE77F9033234C0D556B13F5EAE4721EA399A7C82231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.039{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_disable_eventlog.yml.tmpMD5=19D77CA3BF3122BC036BA30654905E5A,SHA256=32839BBFA3826C1E382B97B3E1E4A5F946C3CE089B3811C2FAD079E6E7E80DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.038{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_psexesvc_renamed.yml.tmpMD5=310298D4A5B4FC9CCF07B434BF0120F6,SHA256=58E13A1DACC2C890226EA194F3A58EFFD66661255C84CBAE3F4D9F8CBBEE11A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.036{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_plink_port_forward.yml.tmpMD5=C0C30F0695DAA2A3CD92E8D4E07D7C8D,SHA256=F9FA694BE81FCAA8DEB2272C7AF52AD17B4E032C433B41420752E1960A1B3804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.033{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_winrm_execution.yml.tmpMD5=B3618BC8A34E597FEC1C8D1EE4320C6A,SHA256=816B9C5995FB0DCD6B85EE986D7C1452038D2627AA24D977DA44FB460548F9E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.029{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_sysvol_access.yml.tmpMD5=B6BF87A8134AB988D0F486DB1E2B9A57,SHA256=E76DD0F9624F03928BADC66DEDE70D7762A0012213B68F8A7A4A62A85619563A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.027{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_screensaver_reg.yml.tmpMD5=6F7D1F2BCC6870ED0454FC81F504C020,SHA256=17BCCA0D0F53F6B2A41F537B7FEDB58205CFBE4D488D3099DB8EE1122D45D032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.026{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_taidoor.yml.tmpMD5=322975F6A5BEE90EE37E6860FE3BF765,SHA256=F7CA3DA7F7C5B06202F525293E536EA2B4E2640C1220C0DB454A5FCF445D4D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.025{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_registration_via_cscript.yml.tmpMD5=41D143485A35011028AC089714E89ED6,SHA256=4ACC6B7E2B6280ECCF5A7A884AC9A6194D77BC8A0EDF620E97107BAA73109B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.023{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_renamed_rurat.yml.tmpMD5=3B75251406AB9F3E79085055935EE900,SHA256=620C78406FDBCA2DCDAA69F622758D6E388570EE2678549FDB6B04B98D78FC4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.019{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_netsh_allow_port_rdp.yml.tmpMD5=1556E2F60C445F4A40A4011063E0C1AC,SHA256=E66A3D23AEBE120D98F460F30491306ECE92338D3509DDA19EDD7B2DCFB03BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.017{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_schtasks_pattern.yml.tmpMD5=15BFDEE34263184EFCA7DFA0CED7FC56,SHA256=916CF4E8497452CF365134B3D9BEB56095A28E63A2CD5AB74E0369891C2FBAC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.015{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_raspberry_robin_single_dot_ending_file.yml.tmpMD5=C11ACF26B3FF0532C74CD76A045E0735,SHA256=B48285099F5A84366255C6C94A98A65B7A61D226D590813FF691B0B41845B4FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.014{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_discover_private_keys.yml.tmpMD5=DBD75906C8CB549E934CF7A6D4E76439,SHA256=01A33D1AB0A0E6BA7F962516EEB74D6B9CACF98F073412D1B77F0CCC627D4A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.012{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_copy_lateral_movement.yml.tmpMD5=DE02B087F467B1996D06F693BEA740D5,SHA256=8928D3DAE17CF0AC0C291A5D48A9F918C27FADC6AE1ED041202190813CC5487C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.011{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_shadow_copies_access_symlink.yml.tmpMD5=E0333143D0933F6AD7C575A70BA384EE,SHA256=41BF6170C8921F848F4FA621D91615E9CF788EDFBC5CC320A5AE0D2EC3A4F4E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.010{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_crypto_mining_monero.yml.tmpMD5=86A3E2CBE2FB147C853EF22E19ED0FC2,SHA256=8B46B89A4CA9C459AB2699F4AD47DFC6D2320BA518C1945AC2C79EC71639BD7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.007{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_gallium.yml.tmpMD5=06BBD039A621A1F07A6F4C8E217C2DD3,SHA256=D64D93BC9E972D56CEA22EE67AE1FEC9CE36D52F060374C74053649423EF0C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.006{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_query_session_exfil.yml.tmpMD5=480442635D6326C5A642F66046AB0F63,SHA256=7B16512A40288D36764329D0F4573763C092FF771C958EE1CD5A9719C7431AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.005{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_set_policies_to_unsecure_level.yml.tmpMD5=8FA7A17D9707B35E970D9450E7FACA71,SHA256=4CD1C0534D96248129959245E6388A41D30B013DCC76BB788EEF8A273CE137FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.003{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_sc_query.yml.tmpMD5=2EF124C441750EE152B2C2235709833B,SHA256=F0B292DB91BA495001D1185A199AA228750927F4E6D433E748019FD16FE0107C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.003{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_ngrok_pua.yml.tmpMD5=2D6337E754A310C9E9C7C2E2626CC86C,SHA256=D424AADFCF0BB4A886D39AA6B9BD8A3E2CA04E98867789A8AF654C80B60CB7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.000{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_apt_mercury.yml.tmpMD5=66212F80757EDE1960240AC806ED5871,SHA256=B2DBDAB56AE1EC83C76D88B38CD25C5FAA1AC08EA084754456BBFA7D10B27D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:33.000{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_susp_curl_fileupload.yml.tmpMD5=50265EE3AB7AFED04DA7485288D58229,SHA256=5C8314EE84B256EE5CC2D21BAA12291602646FF7A60C8DAE2FD011A46AF8D077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000841954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:32.999{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\process_creation\orig--proc_creation_win_credential_access_via_password_filter.yml.tmpMD5=288DBC84F75FF5F4559D82693B547BEB,SHA256=BCF99F0A32381FC8244357BE4BB11E9FDEAA7438223BF99817BDF54BD9955734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.991{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_transf_files_with_cred_data_via_network_shares.yml.tmpMD5=4A9D66659AF955898506B4732A85BED7,SHA256=B57DF6B3D048BAB82EEBAA8F4ED4AB353382E6F1F32933CF5A5AA391E5F271CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.988{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_hidden_user_creation.yml.tmpMD5=133BBD51A28B457DE7CA3AA55BAA7300,SHA256=705ACDF5A9B113DC5A3DA05E2435F30C352550F5BCFB66FF69FBA7973C4B4C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.987{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_apt_chafer_mar18_security.yml.tmpMD5=5958728230D0A59618CEB45C86CD73D7,SHA256=2CAA68FECA6D4A28F79ABCC2D2A0020090C87EEAF79FB0DC0D6B75E68C83B256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.986{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_computer_name.yml.tmpMD5=9C03D4CD7696C5CBE8EC6D0377511E60,SHA256=F18D02D0AE12052240D870235A1C680960CC2DD66910C3D20357C78563F1F8B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.984{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_rdp_bluekeep_poc_scanner.yml.tmpMD5=5624410B3B6C078C3AC14820D19F5E20,SHA256=A47EE672AA049D740DBBCFFA1E99EAD9AF7A1D04FF1B45E4F24D2B62D6AEC48C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.982{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_failed_logons_single_source2.yml.tmpMD5=EBA9AD1A7695FF9CCAA1F0654794FBD0,SHA256=31094972AD5E491A7F123DABDCD8BDC2074314B6B1B45B3BFD3A65A5E3C706AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.981{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_failed_logons_single_source.yml.tmpMD5=D849EF69D9D209C9E9F8378DA59BFF79,SHA256=8577346094BEFE7CF130B2F63C77C8F1F2488F56598BEEDD8D32C9DC28F239F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.980{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_samr_pwset.yml.tmpMD5=3201FEE09EDE512F5A33839D8F93CCE4,SHA256=B1DB327DB99726EE9D291C5E797A66FA136F390BA192CEA9035765748317AB8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.979{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_ad_replication_non_machine_account.yml.tmpMD5=D80291A517DF1E359B9DF2C8DDE36EB1,SHA256=6B7AFD8ACD2FF9D3E2BB28F746E3EF241CD28B9992ABE7B7A32306C81FE38408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.978{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_alert_enable_weak_encryption.yml.tmpMD5=B47CDD006FBB5D7F6B7F367660CEFBCD,SHA256=0EB0E87D050F65A17C3A6F49654BF28267D487241F2E67A7336A63F8FC92B3F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.977{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_invoke_obfuscation_via_compress_services_security.yml.tmpMD5=BD6C6864978F137C61E50D3A7EE676CE,SHA256=7DEDF4E1050A0F517203644BA5E09E704A2B119C7903A2FFF27D224F53A3FE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.976{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_user_driver_loaded.yml.tmpMD5=9545CF55F202A7F45FE4398C091B7E35,SHA256=AEEA9E787A5248A376BC67DBBEF6855FC056AC438EC0CAD6CC143EC8CC297E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.975{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_failed_logons_single_source_kerberos3.yml.tmpMD5=CE59E5F82F5DEE0B762F52A002392761,SHA256=00913B7C64A3A546A8321C88247D80482663B5E7D527B0BD0984D291F0A00FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.973{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_event_log_cleared.yml.tmpMD5=D711C47661CADB130C542C8305643159,SHA256=D99E959D971C8B4E751471C1CD8D1AE8FB0B1290E881A08EFA76F819342DECA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.972{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_admin_rdp_login.yml.tmpMD5=1A5EFDB442E57E1D188EF7AEE56E8E2D,SHA256=39CEC2A2B31E174728FD519683CFB8E0CFF49ACAF731B4A6E714FD934D7D1187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.971{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_scm_database_privileged_operation.yml.tmpMD5=692E678895D6DE8D90F6134A50704571,SHA256=33021F3222BCE154235C13397B2CB7A88AF30A8C6A1BF0850290CC287F7850F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.970{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_dcom_iertutil_dll_hijack.yml.tmpMD5=791EA944985DC1A2202B4240FC7A6798,SHA256=FB75067C9ABFDD574C555635F105F0B8C3A7703FC40E171E72199BBD7211CC71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.969{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_opened_encrypted_zip.yml.tmpMD5=34595F8C006B6ABA1973690C01450745,SHA256=7843067A915B6D23929B65CB0BCAC091D3E1A3684D05AE81BDE17316C94B91D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.968{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_admin_share_access.yml.tmpMD5=BFD019C19495A7283ED021678A529459,SHA256=1ED863988FCCE60DFAC6EE5A042610D925B196E735E920A07A0A9C6EF3CF7AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.966{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_add_domain_trust.yml.tmpMD5=BD877E1B02F5DEE833356BFB2E5B79D4,SHA256=731BA84CC7BF8B39A4603D14D50858C516AF17586A9DDFB3A74ED11809588206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.965{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_adcs_certificate_template_configuration_vulnerability.yml.tmpMD5=9A25A77FEEEA86D46EBCA8EA758F56FA,SHA256=786D3AA2E0AFDD8E365D2546AE61714BFCD512F381BF639BD5B9B57BEF17A211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.964{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_opened_encrypted_zip_filename.yml.tmpMD5=240F28AA64120893E50DECCD95C36759,SHA256=6FAA400370E970C5CE4B15092C84C5947C36B58A3B386F8BB4FDFC0A1656D9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.963{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_dce_rpc_smb_spoolss_named_pipe.yml.tmpMD5=D812293CC85305A5EB07A9743D1E2CB4,SHA256=1AB052F47093772ACF0E59FA0EC5A5929D95461389C528ACFE4115E9EF01A91F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.962{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_possible_dc_shadow.yml.tmpMD5=28CA75C11AAF46FA3B5075FFC5CA932F,SHA256=52C2DA80A15A5E9586A8C7A147E46605AE7771E12A52B719FE21C58DD984FF29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.961{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_pass_the_hash_2.yml.tmpMD5=F60A5D366166E6BA2D6147A9429E766F,SHA256=479504971AC27F004517636106D91EF2486FF8FEB781DC0632AC0C361014D0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.960{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_protected_storage_service_access.yml.tmpMD5=1AB6AB4DB354B8B74447E720A3FD98F0,SHA256=F6E51243D140913B35E0C67CF89A1F14BDF6326D2F05E9478A33D5E7A9C0695B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.959{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_failed_logons_single_source_ntlm2.yml.tmpMD5=00F52D8E03E48952638B0DE8E13D7215,SHA256=494416C15FAAEE1E2FB4C1ED3894F5DF7A2153EFC16374CDC61335B79813C336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.958{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_failed_logons_single_source_ntlm.yml.tmpMD5=8ECEDCF33B82C8D881DE0849E4249A9B,SHA256=0DF6A827C3DB079089AB0324E0CA417E6569C850E293445BAD3CD780D0484E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.957{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_invoke_obfuscation_obfuscated_iex_services_security.yml.tmpMD5=FB83E3DC3EED363DC6A3BA640F8A37CB,SHA256=7E9C82107FAEB4884E87173E59974CB4A70874E00B5699D0B9588E6D83C91364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.956{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_invoke_obfuscation_via_stdin_services_security.yml.tmpMD5=FF6E2FBC38C3FF3776F78C66B271D2C3,SHA256=87ACB302C9FDB8F8DBEF721255699E40F9954D66E015186008BFC32B28C5A96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.955{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_failed_remote_logons_single_source.yml.tmpMD5=6745BD6992469964D46DB9C307B20797,SHA256=C5EE2636BE7EE1685183973F69C130B8095C94924755219BC535B69134CE89F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.954{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_alert_ruler.yml.tmpMD5=8281ED847DF7B29F6D35F7F054D24A0D,SHA256=E6B5CEADC42042F648951F4EAB52983350242D8E525E451F516BF16DDF3D7F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.953{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_sam_registry_hive_handle_request.yml.tmpMD5=2597E197F8A67DD1CA1001FBF36E898D,SHA256=15A6F2A82AC08111E09704DB3EEB71DFF5E1465517EF0B4FD79880CEC1936A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.951{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_add_sid_history.yml.tmpMD5=410F2D58D4F1BAAAF52C6C79F8EE26DD,SHA256=4245939AB830A43F0A3C2EB52407AF584532C63D4ADC94729DFB1F66AAF5E461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.950{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_lsass_access_non_system_account.yml.tmpMD5=7698E60F1383AF99FD3A2DBC3075FA6E,SHA256=BBAC08BFB1B13210016F7CDB669A4B5F5C9682BB034B0B91F82131B6D02F8E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.947{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_exploit_cve_2021_1675_printspooler_security.yml.tmpMD5=A200DEDBA78E91B2E4B4BDD7A4E40BDF,SHA256=B6CB61661FF47B37AAD4F70459D5B27A8078227CC6D7DDE561DF37299EA0CFBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.946{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_dsrm_password_change.yml.tmpMD5=6569B520C764A926D6BCD57F644F9BD6,SHA256=4A1E50EDBBE6BFD6EADA11A319AB29EC68B740DA20DA42F0D62A83B41457C563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.946{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_mal_creddumper.yml.tmpMD5=3CCF434468A0A2A04235E1CEFCFC824A,SHA256=E18A1C5338A5C5459E21244C7A1FEF36C34CFEEE037707E278C3B77D614EF24F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.944{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_eventlog_cleared.yml.tmpMD5=2655F1EFAB56F5D5C2C08B43E01C810A,SHA256=CC4FCAB5FB87B9D589634459739659F868A56C668C48CD13F0B072AE3C4A8459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.943{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_invoke_obfuscation_via_var_services_security.yml.tmpMD5=F6CE39CED40998D87DCFE0758CBF0FD4,SHA256=72346CB6EAA3CCC275259F161F4B90F9E06080FD66520AFBB7A4660E9161CA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.941{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_remote_powershell_session.yml.tmpMD5=B6AE55B187EF5D19691DD5D59260FEED,SHA256=0BA455E755E0CA53A683B90F30BE7E199F2C3B06857CFA0BBE09317FA1AF928B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.941{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_wmi_login.yml.tmpMD5=4D3D31DF4BE1C8BAB4EC8C05ADBD8EF8,SHA256=EB88CCE79C99A0AFA23F142C9CC2D623C4021FB4605BCCA073D3EEE77BF1E2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.939{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_powershell_script_installed_as_service.yml.tmpMD5=E1D293A52466C5264D5919650F2B2F01,SHA256=4BD2AD0FD2EC8C46E3549C4A95C6C5D9681CAC09CE64CC84CD86BA60BD310839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.938{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_net_ntlm_downgrade.yml.tmpMD5=D2E967326EB2CCA178DD14406B55073B,SHA256=587EDCF5136BF989E66917FA1688B3425490FC2579596E391D56137CD61D8F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.936{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_raccess_sensitive_fext.yml.tmpMD5=89C2FEC3B48812D271610E64A8D25614,SHA256=F3A348CA602E6A9F96D5AEF001442192BC11DA8A6D005D10DD3722EC852E97FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.935{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_impacket_secretdump.yml.tmpMD5=2CC81194426A785203DEFC0F41E341D8,SHA256=8C7CE8BCFFFF203790D424BC3ECD7DD5202382395A14D80C5B7FA2E9A19B40B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.932{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_invoke_obfuscation_via_use_mshta_services_security.yml.tmpMD5=AACB618365E8DA455B7375831D950F96,SHA256=7B8E9E736C144119D427878934374D36E2C963AD4D7E098AD3C254703E2BCF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.931{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_account_discovery.yml.tmpMD5=01893C74EF926C1F8762ADCFC20E805F,SHA256=B661A96D978CB4C7B55609E791D181EC77549095AF9CD5BAB66CB21CF1640CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.929{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_kerberos_manipulation.yml.tmpMD5=ACFD5AD70728FDB2CC6EC5E39EAC2B84,SHA256=F30766D50B0C0E670D14169483584716F74B0D0A472B9D3AC7D5CC02833ACB05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.927{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_lsass_dump_generic.yml.tmpMD5=9D3227F79F9685AAE8C94D8982448F8A,SHA256=D4271869919F12148E1AB36ACE8FEC85FF2565692A9C7AF9713CC32D172CE02C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.927{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_invoke_obfuscation_var_services_security.yml.tmpMD5=DCCD74BFE602111E28357297BF9371FC,SHA256=3E861839047AFAE4FD1287A6308E024C27EFBE87D7DE2842A21EE75706AF65A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.927{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF830FE68EAE3FA6F626AED57260FF1,SHA256=4D55F06D67A4A9768513232C97FB431EBD9CAFE38D1333EF7A8738FB6C8044E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.926{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_access_token_abuse.yml.tmpMD5=BEF90B0F9B94375B88B59A2A1EF98411,SHA256=922256FA81F055107741673319605210CBDBF53612B6B15A76D9410FE31176C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:34.126{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6053BA6374A64C4C2D168C622C8339C,SHA256=C9727FB3E46992600783A3A7676019E415955E2388558EA27389BF79066E46A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.923{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_user_added_to_local_administrators.yml.tmpMD5=3661A3AA5277A9877CFE7274C3A6DB2B,SHA256=29D4C8DA6605A961FD54E98CE5B7A2049F515BF449324B02FD9AA88393871546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.923{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_multiple_files_renamed_or_deleted.yml.tmpMD5=E0B692B0C8BC64AB832DFE20B9CA011A,SHA256=6A716B99EDB23939C79C5BDFB77D8F7FED682A0AF73BE87662AC2E27FB5E1ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.921{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_not_allowed_rdp_access.yml.tmpMD5=FCC92391A71092162CCCB81120524F20,SHA256=DDA192B4F118645A531D0B858918AC341D49471953DBD9BDBCF3765280BA53F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.920{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_external_device.yml.tmpMD5=45766F94B962EAACA4911D32E36BAEF2,SHA256=AC74CF6587413A6F3B852707E4CDE371D990DE07980CA701832F78BBF10174CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.919{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_failed_logon_source.yml.tmpMD5=C79FB1239D8078D5B4B9889B321483AB,SHA256=C67D55A70DB83ECDF13E939510B1743101B48DE52E348FC67A487A90508CF7C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.917{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_impacket_psexec.yml.tmpMD5=327E02EB1897F46EA23DB4EDBC8F72E3,SHA256=F29A3A6D0F58B93D1EEA88E60F64FAB122EC768721C3FEE02EA8E4D2D6B0CA7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.915{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_rdp_reverse_tunnel.yml.tmpMD5=3AFCDBC451CAE12FBFA8574AEAD1CF26,SHA256=47E50D43E86E75EB7DF2C1C71D5E56C5B77576CF53C57B0ECC66776E2BFF63ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.913{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_failed_logons_explicit_credentials.yml.tmpMD5=1E97B299284D1F414A34E6CA3E9C5874,SHA256=57704AD5B21BF7ED4ABCCDA55023351818985528A766D201BBBC7DF8AF469AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.912{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_rare_schtasks_creations.yml.tmpMD5=7AF807439766B664E4EF0198F5CE1DFD,SHA256=BD6E8690688836558EA6A600B9F314772B1B551545F56BAFE31FAD0D451175E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.909{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_admin_logon.yml.tmpMD5=6CBF478FE78772B69A675318E85587DC,SHA256=21684F3CF4E87E4241C4623DAD02566E52F8F65E794D8D4A7C63A2A1C4F664F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.907{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_svcctl_remote_service.yml.tmpMD5=8DBF5CAC59ADADD5C2B662513D47A8C6,SHA256=05E7EFAA84A8F624A2138DB0E4789CD512447B5D58BA6181EEED1F8B058E1E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.907{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_lolbas_execution_of_nltest.yml.tmpMD5=1CDDD644587473833D9F62F59E38AB6B,SHA256=A97FD208CC0A82E9A72041D6166D2336500C8C45E786B199EEA1AC6A63ABE1CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.905{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_register_new_logon_process_by_rubeus.yml.tmpMD5=E72175DB90440D598CE77993678476A7,SHA256=2B2B84EC96EA76AF8A5CC637399ADB545F0DFFD16CBE13F3FFCBFE5801FBAB68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.904{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_global_catalog_enumeration.yml.tmpMD5=A8BD5CB5175C11C9882BC0C4A2DEEDEE,SHA256=F18909220AFCAD70A1080E56FAA85AABB0669273EE5C4C5DF761FF64909BA965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.902{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_ldap_dataexchange.yml.tmpMD5=FF1DA38D066632798F7EE91870EC7EB4,SHA256=3EAAD4D0CF35F2FF6728A984FC89D49EA9D05D4A83286AC314F385C957C50A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.901{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_logon_explicit_credentials.yml.tmpMD5=985C9CB1D08342D1A4EA2A7B8F26B4C2,SHA256=090F5118AE7A489A9DAD23199931FA4E551285B7A15D7A87E34F0B02529DF0B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.899{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_tap_driver_installation.yml.tmpMD5=747DB0167822941E021338BC06ACA256,SHA256=BD49E7150A442F430CC67F4866308EC5C041989ADC3191BF62C4ED2B05C01B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.898{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml.tmpMD5=96604B02644A57B930B34D7756B530A6,SHA256=CDEA68208298D147922D828E0FF4043D66774634D5290DA3EE834485F7B8E2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.897{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_invoke_obfuscation_clip_services_security.yml.tmpMD5=257CBB69A57BA0A78DCF058FB4A1EAE0,SHA256=DCE3B3C9A320BC88778C5AF70389C0C5DD9A3BF56582FDCF27863DE0F89C9A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.895{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_krbrelayup.yml.tmpMD5=4AC27E26B3AE7DAF81365057D31C095E,SHA256=203A9A17440F6B717DCB127143347007BA5D9094440FA355D7A64A0CD10223A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.893{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_rottenpotato.yml.tmpMD5=108059647DA5605035D5A5936431DCBF,SHA256=8CA350972D80296D1EBBFEDC6D3662586DAABE9BA9789F82BCD4BC89FBF4A88A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.891{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_aadhealth_mon_agent_regkey_access.yml.tmpMD5=73926DF86DD50AED7CE9711172F22E64,SHA256=B1A85D18DEFF70CAF74A39DF80BFE38D452AB56D6EC9B8EF9D5B59DDE810743E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.890{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_metasploit_authentication.yml.tmpMD5=B0784F9472A6ED1C9B5DADDFF68FE29E,SHA256=DF42C2FFC1F340FD9E8EFA77A063D9D55079EE6A6D601CD70D0C278A06527487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.889{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_petitpotam_network_share.yml.tmpMD5=357C426491493BF1A4CFE77EEC63DE01,SHA256=307DF6C60D4DA95CE2D98C797110BD33CA10A55599B4A14D7BC5D3FC3E291DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.887{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_add_remove_computer.yml.tmpMD5=6E7BC33E9C98C064C9C2D327CDA88D6E,SHA256=D6F39AF26F6866BA594B1F8FFEFB774D673A2947F76408EEDB2B52407D513EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.886{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_wmi_persistence.yml.tmpMD5=F63AC425C34B9AD3764F65192CCD1076,SHA256=63BC485C01FCCF1A3507185A52BDBE5F1E043BB6C4A4FCF3D2EF9AB0C41AE619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.884{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_net_share_obj_susp_desktop_ini.yml.tmpMD5=1EDCF5728724C5864668B6CBEB654CE8,SHA256=D104FEBB66C0AEC22550AF72FCB452E00D58B2CBD958184E0A98A641908F2FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.881{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_camera_microphone_access.yml.tmpMD5=4250D2201DD0F85FE3C8A38B9C35B215,SHA256=82BBD39E84728B6C65250FA2C64F5563016B152CAE386245450A7B0848525923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.879{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_cobaltstrike_service_installs.yml.tmpMD5=4FF8E2DDC275499756517C74D8DDEB88,SHA256=5237A0F649848F102579A90F4A917B1F6105AF07A8B43B21088A544F9730D5E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.877{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_mal_service_installs.yml.tmpMD5=FAEC227B6D0708B447177AF169AFF009,SHA256=ED1F4C527EC09D0FCEC0F54A45BA7BA3C8A9E94D02058507DA409A636C9D8FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.876{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_vssaudit_secevent_source_registration.yml.tmpMD5=2A36558E2A0AD0F6A783962C8D9D513F,SHA256=B347ED6C979351AB6D2622FF5A3C95CCF2E19D9A2054CEC641303E66726407F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.874{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_defender_bypass.yml.tmpMD5=37074BC2A6F9B5CB89E53B3256A869D4,SHA256=0F970C19DA5A5ACC9D1045A533970191B38E1AC444185C6FB20B7A601F4B25A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.872{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_new_or_renamed_user_account_with_dollar_sign.yml.tmpMD5=3395E155A2E0F30059895F9BAFC52D4A,SHA256=1AA2618D7BC17FB826EDD773D11EBCBF900DF951DC13C0579C4D3B6DBCBCE3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.870{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_ad_object_writedac_access.yml.tmpMD5=06D7143D18174C56C669C5F27E52F390,SHA256=A9A0335DF0869467197B42540A06F729A42680D6C015ECBD2CD3B66A347890D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.868{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_iso_mount.yml.tmpMD5=202F9FD9447B50E0D8F1288371370C19,SHA256=7BB025DD730ED8023266C2A2B226E533E5CAC48AB31ADD43160705AB7F9A2052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.865{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_outbound_kerberos_connection.yml.tmpMD5=D8DAEA44D61539C849EFAAD93D989524,SHA256=49FEF6E2E520A9DD43E5908B0B6963D588A888A4B2E77EA38F4833D43E188E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.863{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_hybridconnectionmgr_svc_installation.yml.tmpMD5=5A88B83382AF7A6085BD355CFE3D8A67,SHA256=05F5A82E08890539F9CCB1552E02DFAFA1BDFA0D7FDC8FA42640D45723792A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.860{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_replay_attack_detected.yml.tmpMD5=D7EAEC57F7175B7F56A8F9ABB8E5989C,SHA256=9AE09BDFF82EC970EB389CC63506A0A315824EF9F8ABB6C96A6AFB48E8FF26AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.858{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_failed_logon_reasons.yml.tmpMD5=E2ED7F12D370F69756FABB9E26ACBB06,SHA256=DEFB311765CE74D81B91AB237D1F8AC696815F34A8457A9A8A49F954B0CEEDDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.856{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_invoke_obfuscation_via_use_rundll32_services_security.yml.tmpMD5=35A71B83037B28342D583950CE968BEE,SHA256=8175E2F2CA3E064DA0AB7C6AF1E4C02FD5F383500E67A10C199A35F808D232DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.854{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_overpass_the_hash.yml.tmpMD5=2BF493E550877E56F24189A1BF84E48C,SHA256=2C74FEA457966672C6228B876ECC23D42D6B9C5FA0A3CB9994DFF551EF48AAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.852{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_smb_file_creation_admin_shares.yml.tmpMD5=A4FA49F66C742700BD476DCE5E2B4F75,SHA256=423A585214925C114250A1B08471D352334BE4A52B1FFBD97AF46EA674E99EC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.850{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_invoke_obfuscation_via_rundll_services_security.yml.tmpMD5=0700CEFFA73330A97D6F2C1053AE9997,SHA256=2CE23E83093A08FA6ED689F058509030AAB9DFF2DA80DEE84B7F36EAEF3FD37F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.846{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_alert_ad_user_backdoors.yml.tmpMD5=C36A700A64A607A4AFB330BB4356B1CD,SHA256=56AFFB90C0B6A1C04DA5678759F14C62E2C28D680D86B0358CB7F5D910A5A2E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.845{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_gpo_scheduledtasks.yml.tmpMD5=B781FA3ED4D3D369B030EDB9386F154B,SHA256=6617604EFF09D418CF9F542069DB3E29EDE9DF9C8690B8C196B8CFE3763B1056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.842{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\sysmon\orig--sysmon_process_hollowing.yml.tmpMD5=580E62B8716C4C79C4843BD97A3C3D4D,SHA256=96430DD204A654B0AD4368F0925D505627F5850ECA3B31E9DEE7AEAABCC2228A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.841{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\sysmon\orig--sysmon_config_modification.yml.tmpMD5=51CEB18A6C4C930D85EFD84A0C4457CB,SHA256=9A165FC5AFD8D3EF8E5AF68D95C1D48CFCE4B30AF68D73412AE6EFFD7AF3C2E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.840{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\sysmon\orig--sysmon_accessing_winapi_in_powershell_credentials_dumping.yml.tmpMD5=590045DB402E93A3392C5022D9065B38,SHA256=E33E422A770133380A9BA477F583612796273C4D556B9A1836C531BF59B620AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.840{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\sysmon\orig--sysmon_dcom_iertutil_dll_hijack.yml.tmpMD5=94805591140FB75C12C1714414E6CDC0,SHA256=C8CED44003A7F16D9224B944F918ED706D0AB353F732E6E3E6416ADA9FE6E3A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.838{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\sysmon\orig--sysmon_config_modification_error.yml.tmpMD5=A80033B278351008546DC21D18B19F38,SHA256=EFEFD9D1AFAA8F0F29DDF7FB3813D1C7E5269B07E0F6E6C5A80659E77A36C049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.835{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\sysmon\orig--sysmon_config_modification_status.yml.tmpMD5=93851BBBCF5998EAE2F196EA8D103731,SHA256=D1C8277F462ACA9AD2D25B50A014E8DB2611C80A7604B0B0F9B3CC9AE6B4268A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.834{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\sysmon\orig--sysmon_file_block_exe.yml.tmpMD5=316881A4763B1709AECCF465804BC2A3,SHA256=01E45F4652E81DD7C4449F97E04D2F4F4FA93DA57E73C6B23B85A162BE5C0CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.832{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_change\orig--file_change_win_2022_timestomping.yml.tmpMD5=80CD8892AC254BE185564875DC8B4E92,SHA256=55FC558C19AB0145724E4F134ABB693701E12397D48E879FC1EAE8D52B61C93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.831{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_change\orig--file_change_win_unusual_modification_by_dns_exe.yml.tmpMD5=CC3F054A07CB52D11A3C378DA03239E7,SHA256=A409CF9EC8A5D0235B3977BF255642714CAE50003F32E59D34DF843B8F8E619C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.829{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_access\orig--file_access_win_credential_manager_stealing.yml.tmpMD5=40EB91CD9AF828306BE5D27C6FEE934C,SHA256=C44C48943319E0F41CADE398C33DB901E26E8E4C855580E00262B526F5E6F178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.828{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_access\orig--file_access_win_dpapi_master_key_access.yml.tmpMD5=08EA1B145EA78071C7869ED1FE7013D0,SHA256=BD1326D24C61028E4019038C73E0523847FF8DBB84E85549CBB0C5CB8D0BBCEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.826{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_access\orig--file_access_win_susp_cred_hist_access.yml.tmpMD5=8FECEABD0893226457A66C91EB9159A7,SHA256=57D4E43E466C4522110D8BD23D27B03CC4AC1652EC1E48985508D265BA008D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.824{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_access\orig--file_access_win_browser_credential_stealing.yml.tmpMD5=6CEC919C394CF74F7AC3D247EE2D9011,SHA256=104E33298A91AE1EBE4282345CA71894C95A6056B81BF358FE33D5F2AB522EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.823{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_ripzip_attack.yml.tmpMD5=A93D236728E1EB3A695DC6E5A72885F5,SHA256=E49238E97DA9C7E435A9DF0A9F383D138A12C64138B67342F7CBB407F783F418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.820{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_uac_bypass_dotnet_profiler.yml.tmpMD5=A55A31AA9437405F8A999D86C4917D3D,SHA256=7FD4099447FAFD5D70AAC3BD5DE038B3653A56493B6F10940541A3A8F4DBF9C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.818{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_moriya_rootkit.yml.tmpMD5=D50050E94A8ECAC48AB9237A24588FB8,SHA256=5B7A700A1535E032F137A77CC9DE598B3B4B7A610C219EFC8120102F59A975E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.817{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_anydesk_writing_susp_binaries.yml.tmpMD5=700D3C9865A565B6B619106AC5231A30,SHA256=F72B9D8B88E4FE2BF85A84CF3A422A9EC2D0C6511E6D0945901ACCE25D8CDE98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.817{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_mal_adwind.yml.tmpMD5=4010D3DCAC393A70CDC0A57D8C0E3E0E,SHA256=893A73A23FDF5CA551F6CB6ADD90FAD88C6BB6F603582C70A563A972A630BFB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.815{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_teamviewer_remote_session.yml.tmpMD5=07B5C5BE39D097D78E1714B84057ACDF,SHA256=E92228DDC9501A04607D6B09B694E938F47545546B8B3F29F586B9DE063A0D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.814{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_rclone_exec_file.yml.tmpMD5=76F76A25E4D0E69F998929E8689BE6B9,SHA256=5F14B1B33F275ACAA8A2DB2021BF276111317F15F51BEFC9A24952B134E4CC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.812{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_quarkspw_filedump.yml.tmpMD5=B5CF9F1087C7146093F0C020312FF9EA,SHA256=408D371E1EC1E1648B1CA89E79F34CDACC61601170E34A1429BB3E4BE7345168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.811{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_dropper.yml.tmpMD5=1D9AADA7214B303BFD946B4E60D3A463,SHA256=207D7FFDC4CC433EAE901C29721C5FD60920306E286F567CBED01FD259FD7D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.810{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_werfault_dll_hijacking.yml.tmpMD5=B9B102D53B480CF9B144824C09E01E7C,SHA256=EE991A2CE84D499FE2767EF6B9DF7D4B3C9A68D4F5FC2B05D5A82834EA9C3DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.809{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_uac_bypass_msconfig_gui.yml.tmpMD5=6E02B283A7962EA8B7D2AEAB79E0E322,SHA256=079A0F6B5AFC3FF251D357794DA1BA85080FD4A54B0777F565C65274C4FE9C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.808{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_desktopimgdownldr_file.yml.tmpMD5=EDF0145FCF022447FB21CAFA70695EFB,SHA256=ED2065E5B88EB2C378408F6EAAC88BFAA7C31F57D3152BBB1F202FE085030858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.807{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_cscript_wscript_dropper.yml.tmpMD5=D340A05BC4B437C8CAE19778FFF6F8F7,SHA256=9F3E7C5D97F8ECD2F20E392DC20C6D70D7BAF073671654C5A780CE7B32F3E29F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.806{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_powershell_profile.yml.tmpMD5=DC04AEE64BBE44DFCC387C3AD771CE9A,SHA256=CDF756661289A3990F92D587D2482C7978E2C7F18AC8F82EFCD2B6E2E82E5B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.805{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_spool_drivers_color_drop.yml.tmpMD5=44A25E1EA7FC6CAE5D7517DFBCAA7D8F,SHA256=3069568F9502391FF87470D9FA5FB592022496F4B8936EB02DE3C5BAC7260A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.804{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_pingback_backdoor.yml.tmpMD5=0494DD162416A9A97D19F96ABC643100,SHA256=7CC5FFA246B7FF0409D51D1F0DFCFA45CAA5024D1819DCFCDC46097745633B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.802{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_crackmapexec_patterns.yml.tmpMD5=44179F9A09C2255B6E23BFFD99020A12,SHA256=38EFFAC830B55F01161D150118A0C6AA9A917A3EFD9E9BAE997D1A1F2A811CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.801{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_uac_bypass_ntfs_reparse_point.yml.tmpMD5=97982A45818BFCB2ADAF2D9354390AA6,SHA256=02094B91E42CF770352A33BC5AEE357FBC3004530433130E7E137F7DBB73E848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.800{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_diagcab.yml.tmpMD5=68986588F059F21B48A79751ABCC1AF8,SHA256=CC38AC1A725EFDA54C33A20E58391EBA5DB63298B38744027B8AB117C7346CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.799{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_lsass_dump.yml.tmpMD5=2BE624E8A6BE3ED60D2AD2E2FBC093BD,SHA256=A5E5D74810F214142FBF3521B5AA333B46D94659524B8620EE669A9ECC885A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.798{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_system_interactive_powershell.yml.tmpMD5=1A7EEDB753D381604614C9275F5C648B,SHA256=82F4B56C00946B85E808B13AFC37EAADFDD840723A090DF5DD9A96854C838E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.796{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_double_extension.yml.tmpMD5=EE362011DE0AAEDA893DB7913A146257,SHA256=52E307A0726E50770ED7456CE67FF92AD526C08B8ECFA57830B82331B59268AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.795{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_uac_bypass_eventvwr.yml.tmpMD5=B7966805C2920F98B59D910B2BACC952,SHA256=DE3D86D1B5642ADB3FEDFA91C942FE2DF1FF67C9F30F5EF7B8C8FB5C5098DD2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.795{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F53F0B5C4FC2E3422324F8F3A005227,SHA256=3317D125D07F36E125765425AB6438A34439917FC0D441361FB7E648FC0C010A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.794{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_wmiprvse_wbemcomn_dll_hijack.yml.tmpMD5=BD61791449843A361635FE73B7FAD3E5,SHA256=BD55C43E53B2C8DCD7D56BDD8E925BA95A405687D3CCCDCC50F3C46DB1612DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.791{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_outlook_c2_macro_creation.yml.tmpMD5=28E9674B0CBD5B0171BA52D62536D0D6,SHA256=D845EB00AC36FC149F6770BE6139FA446082F9570FC03AC753EA49B7251BC8C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.790{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_hack_dumpert.yml.tmpMD5=706087453282F4224465B7D0A450EBBD,SHA256=6C07AB55D7179D58CF461B474FE2CC9140F38618A369BBE34101FBCBF59B5297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.789{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_ntds_dit.yml.tmpMD5=7C024C45432875D4B5A22D3A2A34C89C,SHA256=F576CDE7F5D2C424005D87890CE5C7BDD8E63F3563FBCD83E52A2C789EBE609D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.788{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_startup_folder_file_write.yml.tmpMD5=7DF5A8A91B13B503287DA731D10B377E,SHA256=C1F33BEA22154702478E303555A520CBFF30EBB9D30D8C314ADF18D68C628B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.787{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_access_susp_unattend_xml.yml.tmpMD5=DA85AD296E995FA5285053C8BE546A68,SHA256=4258F26A312A14C1322D407BA53A79102A5FBB387842F8DDB63820E690DB8247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.784{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_powershell_exploit_scripts.yml.tmpMD5=3A3684EAA149BC3C93136A7DCF49EF93,SHA256=66840B77988DF8089AF95E7E28B854D7790CDD153DD092E1CFC19FF40AF5C73C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.783{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_creation_system_file.yml.tmpMD5=0E0188F841F8EFC081A9F5E5BF42351B,SHA256=AC65DD55337DA06B0AFE6FA61E89B01593D248D7A52EE3E05D93C8941B6AA2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.782{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_creation_scr_binary_file.yml.tmpMD5=56CCE8F61769EE39917902A119F966F2,SHA256=0DCA5CC81C588A832C540A367E28A3CFAB2865BA0E13D9D44BCE3D5CCAEB1D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.779{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_outlook_newform.yml.tmpMD5=0F96081364B5DE56A8E60894AB50B25B,SHA256=1F02780BDE893F64DC360449C8F2FD43D53A20FCE4CEA32B8DABEE82D73A4513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.778{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_winword_startup.yml.tmpMD5=7350BC3BE8848BAEC54210D6B664A497,SHA256=2C248DEC74CAB742E83F50F3EDC1BC0A6DDEF11D7D2997BA17E3F7C09CB63972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.776{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_anydesk_artefact.yml.tmpMD5=24638207066A3F43C31CE3C2CAEC7A6D,SHA256=C91CED1B9069ED52553F1D9DC09B2F6BCB36EE76C839D7F88CF0BC9BC009C382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.774{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_creation_new_shim_database.yml.tmpMD5=B03606D03CCEC83D5B35185CFD5BCE2A,SHA256=253B38C1425547F5F9AD586575708786C36C407E3216FF82185960FC66A3CE59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.774{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_lsass_werfault_dump.yml.tmpMD5=7CBA0671F430181709F2B30EEE879980,SHA256=459C5710B5BB1CC8FE1141D734F5CCC5A330B6D12C21970FABB3F214D3CC2DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.772{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_desktop_ini.yml.tmpMD5=B6502ED28BCED1F7BB062EB0169C1C61,SHA256=FAABB48D6291470C4E294CE2833E45DD5DEA09233E29A652A492816927795B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.770{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_uac_bypass_wmp.yml.tmpMD5=FA70ABB971255936059F51DB4552EB70,SHA256=3CE9F2D0C764CAF34B890E70BEF60A34DF3E0B39590F531BF3939707F4C109C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.769{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_error_handler_cmd_persistence.yml.tmpMD5=221A9F5AAC480BADB28CC28DE797B64A,SHA256=08A1B42C4D059A0C9E11A5559A317FB4931EFDE801911925C4151BA5D78D6125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.767{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_mimimaktz_memssp_log_file.yml.tmpMD5=933A8A8450359E7E2473433F6C0E70E1,SHA256=DECAE5DA0E8D8907E7A415A2CF4084888FB8A4B7E14BF56ABCD0A880AC3BD5BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.766{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_executable_creation.yml.tmpMD5=EAFE262B6C8AEE517B5E236F85A562DE,SHA256=0290B2B4EB52A7CFB71EAC3B271E9F2D06EC962F71975B5B9100DD931243C1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.763{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_cve_2022_24527_lpe.yml.tmpMD5=82A9DD0326185C9A75C23AAED804DD06,SHA256=09B7711EC431D9E0F0F3DA029AB117AC7FE109BB044810F82121AED1B0DC2CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.762{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_mal_octopus_scanner.yml.tmpMD5=206BAB9015596EEFF4DEC8CCE8567EE9,SHA256=C55A140998CBFA3AE8865EC280BD69BDDCF9951533315F193F872482BC7DD3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.759{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_iphlpapi_dll_sideloading.yml.tmpMD5=C793721AEB9A7DB915DEBDF76597A6FE,SHA256=1D06BE78819A4D7FAD60AD019D6B002F6A40729906423215F318A19D6B7D1D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.757{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_get_variable.yml.tmpMD5=2FAF25BE629E991A4B620FDE043A9740,SHA256=973088C98EC0D0E916EEED06F333503CE74E884B5C9EB210303EE56D86054D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.755{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_creation_unquoted_service_path.yml.tmpMD5=30546D70783017FB25D5570747C0EEF5,SHA256=45874AF33E9F5C2AF573D520559B59E0E9EC295C217A4B0455531F021119A106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.755{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_pcre_net_temp_file.yml.tmpMD5=59931395906D708D5F3703F5818EF668,SHA256=78C2335BD1CB4A078A2D781CDAA20C6CBFB4333970A3265C3936CFB9CCBC24BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.753{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_word_template_creation.yml.tmpMD5=ECE6DE94FD867FC2B6FEA4DE6A68C6C5,SHA256=AE933986539C4FD7553B4A73F893041D702F8D1BD419337AC2F13538F03836B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.750{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml.tmpMD5=9932845AFAA1244A64EE3B89A04F5C98,SHA256=D06528D4A4B5BEC7547CB004D81F9AA3D5E01097D8C86EE637C64804519EB25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.749{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_default_gpo_dir_write.yml.tmpMD5=6259825166C43E95172E2996C9B0031B,SHA256=D1FA170A038063A723A827D0B526BB3FE7E5B08CF3AF28755609662AABDFE26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.747{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_mal_vhd_download.yml.tmpMD5=FA928D9CAF63021F7CA12F8E2993C65C,SHA256=1375C93609F31C599A1DB1772FA09EAFB8C74928E4E0F79EE60ECEDFE960CE41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.745{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_tsclient_filewrite_startup.yml.tmpMD5=881846F5A1A9B3314F3BFCE2F971B3F5,SHA256=3CFC62484ABF32D14DA93D08F0CBE18B4E91E2C0560B311A27D083D24BD568BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.745{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_wpbbin_persistence.yml.tmpMD5=D97A9B48E8C856BD14A96A788931D45C,SHA256=F078A963759A352249C6F04B6E39B27F4B126D10B2B17DA318080FE176510878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.744{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_wmiexec_default_filename.yml.tmpMD5=508A6D5044FAE5746E53AAD361013BC2,SHA256=BAB6DE1223BFD1A3480B6C2E44B5F18E13E00A4090B847B4F43F306BEA360A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.743{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_colorcpl.yml.tmpMD5=3C6629BC554D4EE5DBB7BB747498D9BE,SHA256=217BC7EA3C8C4B4ED51E5E51C8B01EE8FD7183872524AFA95A08DA07A25A1C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.742{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_uac_bypass_ieinstal.yml.tmpMD5=440F7D8D07AFA3074422A5AA7EEB0578,SHA256=389657DEBA778CCF2B42FFEC183A868073A6F028A7E2F6A0CD4FCC125FDA851C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.741{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_task_write.yml.tmpMD5=EB18ED4694CB730A4352EA14DD7DB98D,SHA256=24D1C31DCBAA8309F12A4C961747396C1B9E5C51BBCCC395C0EDD68DC10C454A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.740{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_redmimicry_winnti_filedrop.yml.tmpMD5=BBD46A72542D69169D11A65957189593,SHA256=88DDFAB9422D0CC27CDBFB86027744BC68BBDD37E4EA505D7AD79A4216EBBD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.739{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_exchange_aspx_write.yml.tmpMD5=E5751A56B3B5D73549A2B191C88FAD4C,SHA256=A0D4C12529C43F6D61EE98C019B78A19A8A8781F146324CC7894605CF9F60C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.737{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_legitimate_app_dropping_exe.yml.tmpMD5=AF33C4E355D4BB7901D259068497AD97,SHA256=B550E0571AEA4EC591883052F5950AD1568D2E25616362663D9C58679A4DC552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.736{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_winword_cve_2021_40444.yml.tmpMD5=E82569F4065139C49A143F53753CA10C,SHA256=1DADA729FA6F2AE87E615E4948D3B25C06D25D14E55D19F55E2CBCC34F0DA263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.735{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_msdt_autorun.yml.tmpMD5=71F4BE7147106FCF5935E30CDC6C9AE2,SHA256=81977122EEAB8B202CD4DC3864AC5C8672174C26244981E7CD3A449B8EB13EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.734{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_screenconnect_artefact.yml.tmpMD5=D9C1F8E2AE136186DDD2ADF4AFA9FC52,SHA256=9CC783639357E61AA5C3E80DFAF7C1019F8455A69865CAF9FE5FDBEB3871D158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.731{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_webshell_creation_detect.yml.tmpMD5=C09455F19790C772CCE8BBF9A7D5CECC,SHA256=CEF5DA2D639C98BE851314C345A15899C84104CE7B31CB11FAEF7652BB393663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.730{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_adsi_cache_usage.yml.tmpMD5=513E2F850947EC971E2C8D54E615107B,SHA256=93E9C8E94690A896CB247DEBA56B8A929A4716E66A88A17C64D8FE410110EF06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.728{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_hivenightmare_file_exports.yml.tmpMD5=673FAA342F7D2FB636CCB22185D48BB2,SHA256=FF777BB2D2D1DB4574E10CA2D0940561681ABFEF52C2A5FF456232AE10DA5A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.727{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_csharp_compile_artefact.yml.tmpMD5=146786EE9AF6E50743961A445D8E386F,SHA256=10BD50EFF135561D57970C91E942EE8C5CD93F5C7B7F6E6C42A683D58E57F6D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.726{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_creation_by_mobsync.yml.tmpMD5=7E26E70043B072137A02D692FCF09F5E,SHA256=CB9E8875DB32E2298400DF859CE699FCAC815BC42C565D62DC28C8A571270FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.725{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_office_persistence.yml.tmpMD5=30291AAE84F11EFF25B07BE41ABDA6BE,SHA256=35DF105D97CCEB4D82939D3AFBB3AAB367010987A7BFDB279E51D7C7F48B4423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.723{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_clr_logs.yml.tmpMD5=361F984CF158B89961DC03856607C9F0,SHA256=4369DC626FEF47431FFFE0EC553266ADB1D532B66AFBA79F0C89E35D9D300209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.721{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_gotoopener_artefact.yml.tmpMD5=26FC4096234E8E3B43EBDA9879C2C703,SHA256=056ABD16169BB701DB3CD249E81256508E9B138B1828575BE5564423028639F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.720{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_lnk_double_extension.yml.tmpMD5=9C8F1BD5B014125C3CA07F5EB17E62F5,SHA256=97FD94E72B7AA86C1FE3611DC952C8E3899016113D780665027198F5B4175E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.719{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_ntds_exfil_tools.yml.tmpMD5=32D0A72D62EEF30903818581722BECA1,SHA256=60763A06D56173648D5D2F99F7A3761F88D940438FC994F2514E5A37128895F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.718{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_legitimate_app_dropping_script.yml.tmpMD5=69E37E446E71CA43FA392245ACBE895B,SHA256=BAFC52A9F09C37B8DAF733DDF9EEC956B385A767B0852644D75B406102720E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.716{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_cred_dump_tools_dropped_files.yml.tmpMD5=9FE169DE0AF1F537708E8903BFE1FA19,SHA256=E00B9CDD4371A09890E0634DDBFE1D9C409DD390BF6268EF12E723235ED8FBF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.715{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_detect_powerup_dllhijacking.yml.tmpMD5=BBF2E8A4F78B0BCAFF456EBD31A04B2F,SHA256=1766D9941F43E0081578B33776F4BF866E318BF04663F0454FE9741F41B56A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.714{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_lsass_memory_dump_file_creation.yml.tmpMD5=7EB64C5549DABDF465A3ED69BEA5666A,SHA256=B9869CC8515C101E6EFC337533F97E1C0EC0A3B8F25EDEA5D55420A2E66240B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.713{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_cve_2021_44077_poc_default_files.yml.tmpMD5=7D5407F3E79E8D2B15EEDF2BD699FDD0,SHA256=7DBD261AFBB348BF3400073F1A641DC945BAE26AAE34275D2B001187AF92C5A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.711{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_startup_folder_persistence.yml.tmpMD5=EEDE8950EDF8856023D0DB87E1157C72,SHA256=01C69F9B515C425DA0740E21A8B1D794ADE2A6ABA8CAF4F875780084E21A877E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.710{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_vscode_powershell_profile.yml.tmpMD5=29846FA39BB78584F7AC857DE496303D,SHA256=CD889500807919047C2AA7E0207E92ACF731A7CFF7C8E10C2D12B2C2F8E0CBB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.708{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_winrm_awl_bypass.yml.tmpMD5=1C91D0722AAFF305256F0540C8A29E29,SHA256=AC4F04CCC37494F114A7F6ED4C83287633761D452B6EB00780A133836D80D1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.707{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_notepad_plus_plus_persistence.yml.tmpMD5=7E34D4C7651A794DE5288389A6CB4497,SHA256=9F20F6869F23FF9E3B3BFB2E7AB42C5B00C686917310DDF33D01F4EE033DF8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.707{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_wmi_persistence_script_event_consumer_write.yml.tmpMD5=EAF6E620A0B0AC3A8C13B8BDB9955575,SHA256=DD0282A56CA62BCFE6BF2C288E4A93FCC59D7B2212043DD0490E5AC0F3364FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.705{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_exchange_webshell_drop.yml.tmpMD5=05A4D7568A304FE99A30134F359A35F4,SHA256=F8FD49596950F33A2B2DA30F5F31995125C15264430937F7E75D293364DB8A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.704{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_iso_file_recent.yml.tmpMD5=270110E5A09B41B64992F3619401B248,SHA256=55B3A88A00AD1F23BB9369C5390D0EB23679F2C87781901C0BAA56B2D4A4B30D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.703{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml.tmpMD5=3D5C48C211900484B37E91C95E51BEF7,SHA256=4AFEA04D0D4A473AECA58CF7425434F0CB5C1DBDAF813D1F29A46639FC5EE9C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.702{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_cve_2021_26858_msexchange.yml.tmpMD5=1B00E09FBC135AD7EA45AA87A46022F6,SHA256=E73BB79582A7D583A9ED86646F27977B71127CADA5F3294C24F7AC706C5F187E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.700{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_pfx_file_creation.yml.tmpMD5=5E7B2E9595D21728E35C3DD67B3AD581,SHA256=4C1D75BF085CD258A179A53C7C808E793CE54C28DE981218BDAE09D56560AB72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.699{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_tool_psexec.yml.tmpMD5=02E855F4351EA000631B21C318A5D134,SHA256=454C9347950FE421E0A7091CAF13403C492F3A79C42173469DC553608795201A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.698{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_access_susp_teams.yml.tmpMD5=108E63139EB45BA7E1D759EAD5090047,SHA256=5308F72358F0D23FD62DE767379CD0A5A756CCD68F0E04DE9642FA934049D747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.697{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_bloodhound_collection.yml.tmpMD5=FC4D37F398E1C3FAB0650E424252F62C,SHA256=FA60B2BFE6CCB5F3BD97D9F3FCCAFE4F9471FC710F595E172AD4306D75DE75A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.695{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_ntds_dit.yml.tmpMD5=93CD7E2295BB4F75D41F8163562ED5E8,SHA256=80BB424875DF54B29613771335636A53E2C95E1251EDB2FC85106EB1416C57EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.694{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_susp_desktop_txt.yml.tmpMD5=8AD34D96BFF6356A955118D601BFDDF4,SHA256=BAC6F6EE5AD83EABD0E74878EBED90B143967274D5039A30233642D19A34FD09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.693{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_writing_local_admin_share.yml.tmpMD5=4A1389765D9AE873B13980A0E73A851E,SHA256=A08F28C3630155CC7FF62C0AFF04871440A9504ABB5CEEF24E286EEE4F1F116F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.691{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_cve_2021_41379_msi_lpe.yml.tmpMD5=37AD23F45A567C7797309698638C97AA,SHA256=202ECBD32A9B2EC97271D36E04BEF9C13C284643B512D2DA386AA270A19AF24C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.689{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_inveigh_artefacts.yml.tmpMD5=DB2827558C2302DAAC36E191C87B4202,SHA256=D0BC39F5B128DD3A3AA3013654AB3F6435A368191A7C643DE77D3ADEBCFC5284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.688{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_shell_write_susp_files_extensions.yml.tmpMD5=38357BE45D05433A38F63EDC4B760ED8,SHA256=200405F364B927E1C7A521AA0AC4C64E7A726560E0700770C4C8304F382B20E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.687{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_uac_bypass_winsat.yml.tmpMD5=17C6E56387594AA1C05D8CD6CFB8C493,SHA256=3305ED06FDA5D61441C432C148BBD27F1912911AD361D952A4919650EDAFC119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.685{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_powershell_startup_shortcuts.yml.tmpMD5=1E7BBF428BBCF8D43A30CA5C56C2B56B,SHA256=26B343EC9410FF855BE9D0E7091E050318E8AAF12B919128F65A3C85701D392E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.684{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_mimikatz_kirbi_file_creation.yml.tmpMD5=55FE0643BE2D4ADD84AAAE4B23A3AD20,SHA256=08451D48C41F0FABD8CCDAAECADFAE7F5901EE0EC287FAF6F828E5A31D207E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.682{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_uac_bypass_idiagnostic_profile.yml.tmpMD5=401861AC76971025614100ACEBE943F2,SHA256=D3540CE18C4D5756F19BBCD9550BDFF819B8A68128C959E1E9EF674F6E756D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.680{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_macro_file.yml.tmpMD5=F70D7F9BFB0CC37D8A6007C44879ED48,SHA256=17A87E1AD5A923DC61E48820AF0ABAEE5280B973E09F81A92184935E53CB19D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.679{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_new_src_file.yml.tmpMD5=12CE5923CABD59E020AA82DBF640CD3F,SHA256=8F2770721BC2BD66F96A87024256A0C16D24A6E6DB38EA83ECDE9ECFAA875DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.677{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_hktl_nppspy.yml.tmpMD5=BCCB9C4EA478BB530CF14D5CA89412AB,SHA256=139F6F4EC438B46E5670E3A2AD196D4698B3831514F36B23D0AEEE56EE735792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.673{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_cve_2021_1675_printspooler.yml.tmpMD5=951B4FAD01E24A62A99E1BD15F305D19,SHA256=2E1E7327532CB0D6F2CD5C1EE724B49F22C8E39B415C0152ED51126E1025A3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.671{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_iso_file_mount.yml.tmpMD5=EF798FAE076EE129EADB014D5E56BF34,SHA256=DFF0EF8CC373C8D120C542672A48F06C86BCCD15A75C100DC40CFA9FF66ACCB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.669{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_exchange_webshell_drop_suspicious.yml.tmpMD5=31F3B4776F836941F53954A7D15B35A1,SHA256=EC678820ADED11C6D86AA131E21FAFD55523FC6616F6F50327281406E9D60A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.666{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_advanced_ip_scanner.yml.tmpMD5=728DA01958DBEF54343737645655B084,SHA256=B786291676A6814316F006294C3F493909A8572BF717D5EABBB67BB8FE500E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.666{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B809AC25B0EFEC85AA4E1F9E489F891,SHA256=8EF213C4AF00BCB25A2252DE8915307C20B2085099F885E1454831A244A236BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.664{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_uac_bypass_consent_comctl32.yml.tmpMD5=39C0F4DA108EEAC0148467F973A75D78,SHA256=EA192C2031B3CE79BC928324DF88A9DDEC28B48B6F447FCDCA4893E88B4142E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.661{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_apt_unidentified_nov_18.yml.tmpMD5=940F75EB4AC0C8331CA70501DBCA5AC8,SHA256=A2D3652D5EE5DDD76071F265A7A7F76FC2FD05259E685B009F0E10729A1A6ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.657{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_sam_dump.yml.tmpMD5=D86B25B7AD84402DF273F0DB316612CD,SHA256=9EE249F639554CA37FA2F1062AD9850A750854A10078CD8565E7CDAADF4546B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.655{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_script_creation_by_office_using_file_ext.yml.tmpMD5=C727BE3884AC53EC0B94DFC51BFC46F1,SHA256=C73B4CD70949614A1B8AF79A913778E139EAC6C14D741EABE1C6FE3700FE65FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.653{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_legitimate_app_dropping_archive.yml.tmpMD5=8D4604502F80F0A52CC672CA3D691056,SHA256=59D93F9267627E63CBFF5FCE50E5EC85E3F7FD7F883E90C5E3828C49CC9CE760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.652{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_net_cli_artefact.yml.tmpMD5=F7080B18F227D6767D499791D6448539,SHA256=1C8E54A644DB91CD2D62BD28ADA3836FEE608D6177AF0A37B3F8D3917F9C9655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.651{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_install_teamviewer_desktop.yml.tmpMD5=0BFB7EF800E297733B94D6CFE8507CDD,SHA256=EF34CDF6F37F7ADE21D225623EF2AE9EF76E006AEBF87AEE43DF5F4A1527F329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.649{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_shell_write_susp_directory.yml.tmpMD5=4405E8FA35DC1044607DE622BC94B845,SHA256=AC93D50730A7F12242B9D252F7EB486BDE44F3C21150D1698F8A45B8A79BBE1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.647{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_new_files_in_uncommon_appdata_folder.yml.tmpMD5=E0054E906BC701C3D2753C5C634ED7EB,SHA256=49AE8B1A9E1818B2ACE756C6944F1CD315439269E5208F30C0A28513B4B21B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.646{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_initial_access_dll_search_order_hijacking.yml.tmpMD5=7AD785FC46EF2F1355B88227D4DE210E,SHA256=A1E44A0F5634578788658348AAA08FBCE2D029271D1B2C31168865F6519B3033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.644{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_dll_sideloading_space_path.yml.tmpMD5=142854C2614C305A37EF5F06C90B4B3B,SHA256=A1F638DB254464BAAEA499BAABC97FAA309E282978C605F89FDB933E2121F661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.642{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_event\orig--file_event_win_ghostpack_safetykatz.yml.tmpMD5=079A7F6DE78C7AD2B3B39E817A25959F,SHA256=7252AE0A9FDD4F349A3BDB6117129042007A246925241E3F1D3B60E3ECC2E80E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.641{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_rename\orig--file_rename_win_ransomware.yml.tmpMD5=7CCA2D33C8452887D45C7093EB4EB3CA,SHA256=61ADBB850A8DAC43B0AA6897E66A9C0D568592B967236A2F60C1D62C1250B090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.640{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_rename\orig--file_rename_win_not_dll_to_dll.yml.tmpMD5=2823A48DF4EFD106EC6CB79E5032AB78,SHA256=2BE453EE1622A1F9FDD2AA462F4519F25160C99D14C589CBBCF1B39C4550877D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.638{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\orig--file_delete_win_cve_2021_1675_printspooler_del.yml.tmpMD5=DF2E5442BA1EA79288CEC3309DE1F0B2,SHA256=CDE788DF4D956CD48F95DF7ABE18FE7D79C59FC7C4A98E328802BA4026E4036E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.637{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\orig--file_delete_win_delete_backup_file.yml.tmpMD5=0E6F2BF718F4D39195137567FB88A0D4,SHA256=941F06E496DD733624855C4989FFDB5634FBCF6411C39FEAB35277118124A209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.635{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\orig--file_delete_win_webserver_access_logs_deleted.yml.tmpMD5=A9242E97836CD5DE3963F0B5414DDF6C,SHA256=986CECDC1740C07A6EA7F1B947D4364A7279C267255DF063A86FE48F359E1362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.632{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\orig--file_delete_win_unusual_deletion_by_dns_exe.yml.tmpMD5=C89FBEBD826681985A85A62338B20CDD,SHA256=FD886F7FCDA5FE51FE57F7278BFA4055E14FAD0DF2C1B6835F9DB7AE65FC0310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.631{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\orig--file_delete_win_sysinternals_sdelete_file_deletion.yml.tmpMD5=D0B5BA6585E6F7031244930B114083D8,SHA256=5AB2021BBE6095CC0D39218E5BAD7952B4818A62A61FCF92944F095F2C440F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.630{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\orig--file_delete_win_delete_appli_log.yml.tmpMD5=7B316DF84F4EFDC38061774A3D3F00F8,SHA256=7B9612EAF2B93D5446CE6CF75A1EA7224A21735F8C16B3C9E4D3E7DE9F022A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.630{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\orig--file_delete_win_delete_prefetch.yml.tmpMD5=771FBD14F8EAD3777A2F439B6C02A047,SHA256=200DC6BE2DF9C40765342F9CCED4D31FF3E87AA270BE9E34F6E6A477D824C8B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.624{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\file\file_delete\orig--file_delete_win_exchange_powershell_logs.yml.tmpMD5=F8B0470AA0C05CDDB1C3AA5B42B9A287,SHA256=8FF1EDE9D5FE44950663CD7440886E953BACCEC00B45B470F8845429020316DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.620{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_rdp.yml.tmpMD5=41BD4FE9F34E3BC6EAF766F29A17DDEA,SHA256=CB047A2CA5700D5E1632AD305DB8E7DCC8B60AEB7DFEE2A0AC0E1F1B14A17F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.620{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_ngrok_io.yml.tmpMD5=C91589467AB5C01D130C45166B82B778,SHA256=C7A22106AF1E7DB503059DE784EFD8965E1637670E2E7CEDF1580BA8D5CFDE3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.617{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_eqnedt.yml.tmpMD5=6AC16DE8CFFF17377D9C0E74EA523808,SHA256=AD1CBA019A2E114BB794620E06EFAD6117C075BEEF4BD8FDB18BD921579F910A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.617{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_excel_outbound_network_connection.yml.tmpMD5=4D09250DEC4E21A4ECE48CF112273F77,SHA256=C97FC5CEA0340038958F5ECD96BC2FFBBF72B0E003711AA53FD500552735FD7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.616{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_dropbox_api.yml.tmpMD5=5052437B83982D4613D0880FBD67C86B,SHA256=DD30CC93A72EA3459D150F18B1B4986CB8F992047259A39E3D1461E7A34743DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.616{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_prog_location_network_connection.yml.tmpMD5=D66AD4A1AE4815AC9B1B7B510F1024D3,SHA256=3BF2A9661577AFA157085BCD25F0292452111DF0C737AAF320562AB511821D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.614{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_ngrok_tunnel.yml.tmpMD5=83FC0774EBC6C3597CE408F37C59E7BE,SHA256=709BB5DC871767515323F08A6D3E13ABC64ABF165566218C963DE6295A8E89C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.612{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_epmap.yml.tmpMD5=3A9A3B72B7062D632CC4C882BDC240D4,SHA256=295808A14B64C2174D89A81B73ACA75EE85DF88FB3CA11A4A5DA36EDCCBB518B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.611{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_powershell_network_connection.yml.tmpMD5=7C2C8C225A9FCD4DBBF5C9D8F5EEC252,SHA256=7CFB9AAFA60905248CB08F0E1CF8063DC6E28DE690F1E749215D97B44E0E2E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.610{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_rdp_reverse_tunnel.yml.tmpMD5=D4156A1AD7CC1AE59B0D924D4FFC1B70,SHA256=0739F3F4BFC3FB03B446542635726E9708F8DEABC7BEDB2ABC7EB1B8EB4D40D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.607{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_notepad_network_connection.yml.tmpMD5=AE155840C74DB2FEE72BE9FBBCFFCAEB,SHA256=D30B5CA718A532E1594F05194C439996747BFE6B667DD569B673FADB02BA230B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.605{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_dllhost_net_connections.yml.tmpMD5=ACFA387BC45B6D2D7589E5AED2F4E58A,SHA256=2670A22E596A825EFE89003CACCCC31BAE1B53F8978F21A1B810B75CB3C82E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.605{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_wuauclt_network_connection.yml.tmpMD5=4887829A028944FFF3B9B892A48E0144,SHA256=BDE2C289703A9D8F47664EA5E5623D737EB810EC7BD01F2DED00A496A001A4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.603{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_certutil.yml.tmpMD5=181F80ECCF84F8E22567C01DDB516063,SHA256=9B7924781998ADE6DCCB88B493F81C614AF0649B4D3272C049C0BEF9E9CAE33A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.603{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_dead_drop_resolvers.yml.tmpMD5=B936080E213457921B14B92F54672373,SHA256=63C648715A437307D59086FC82739963233EB639C58BD0CE3CB8B6706850E9B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.599{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_mega_nz.yml.tmpMD5=93ACD23F03352FF8B5F977067DEBF9FF,SHA256=4CF610EE5CA1E50B89C74D31C6A53F5521414BDDE878B6DDC3780FA8E880B61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.598{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_silenttrinity_stager_msbuild_activity.yml.tmpMD5=0C5ECFE237CDF551302B1DB8E501BFB9,SHA256=1ED111F7707B6009A34780F25B8D16F87E702C9CFC63706FC72FD51813B6B832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.596{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_malware_backconnect_ports.yml.tmpMD5=65034E566CC0B026253106EADE396B94,SHA256=A41556C507290565BF86EB5B29AEC0CA2E8C5F2335C9BE73EB7E93834F40985E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.592{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_binary_susp_com.yml.tmpMD5=25323B22259A23A12D8C385FF20CE2AA,SHA256=D3391FDD2076936A332600623C94C0A1C3FE065B92A1CA96AAA46A779D39B9A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.591{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_binary_github_com.yml.tmpMD5=D61A7F39F3FAAFE22CDF6881EACFF21B,SHA256=680A700F457B8D65328C13BCA543790C087BF30CB50229C860CA50C3DA448075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.590{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_imewdbld.yml.tmpMD5=49D4B9290B1294CAF66FBFBE3297C82E,SHA256=F94153892934ADBF8153AA113051B528F9698FC84021BCE64F0EC5A7766CF6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.589{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_outbound_mobsync_connection.yml.tmpMD5=166B50816F953A0FF0761322CDF8BA70,SHA256=F6E5C039ECCAEFFC9A8D3D32368DC0AADEFCA4334F1F4E9C5260CFA150145D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.588{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_script_wan.yml.tmpMD5=49BB3273BDE4B6EC92187F0150761F96,SHA256=D23E850BA379729615962322E56C4D45B54DCE85DCEDFC6D9580C3BCAA0A090F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.587{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31BFF271F28D0630444E6653E10D716,SHA256=F21C6152D5311EB81FE791093B13B995392D14FA20494B27FC983E4E75CAE158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.587{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_binary_no_cmdline.yml.tmpMD5=7A3925A489CE1D4553B886E1DC7C5C9F,SHA256=E193AB5BE4DE858EF058B40F5D27770C659C075AF6B4B33BFE7C0AFF83B69C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.585{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_remote_powershell_session_network.yml.tmpMD5=CE05CA08611A42FD43BE4C43A2D4FF03,SHA256=E9F214582F2F77447E873214F38B4FE22F3E49F03B536CFEAD06651A99D62F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.584{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_msiexec.yml.tmpMD5=FA518A827034D9211CD67F0045A425C5,SHA256=6CF7912B6143C30B02866F6E62402C4F91C14214C126F3C930871B8FE962F96A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.582{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_crypto_mining.yml.tmpMD5=EF42A0590A74DE29CC1764461DF772C5,SHA256=71111830B0538409B3FA8708674938C3A2AD7FF19752E4850AABEAD97BB7064D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.581{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_script.yml.tmpMD5=319275BAF38B5240F86FD170900274F5,SHA256=853274BF94310D1B2BF5A6C485A8E6CDAF2F4213CF17BC05659DFAA60D086C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.579{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_rundll32_net_connections.yml.tmpMD5=B90620FFAD26AE97328031AFC6D0BFA2,SHA256=5360475BC494F0586CE44C51396800859C6D85F9CE6D2C0B9B62CC7300F1E65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.577{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_outbound_kerberos_connection.yml.tmpMD5=5E061C7301F444EF67432C9B91E3357B,SHA256=8BE27354DFAE7A146185C1986EF2EEA80BAA553ECFA163B91B27CBFD6BC4D982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.576{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_python.yml.tmpMD5=D40E206588ED0AE47F2C7E9981AE9D88,SHA256=02CC43937FBE3A0510EBF1DA40DB3741BC99B5106D43D4244295627E364C4DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.573{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_hh.yml.tmpMD5=B741D14E466C335770BD8D68EA440B41,SHA256=00ACB8AD9EB90B8AA4FBC77A4726E4EA1B735E5A05E322BB396DDFB7FD402FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.572{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_rdp_to_http.yml.tmpMD5=E937A3A595F31EF37591685D1A950CDA,SHA256=3C4827C7DA448258CFDABA967B16EF73BD8208CFDD343A6884C4F5AFB5E3B576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.570{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_outbound_smtp_connections.yml.tmpMD5=C62FBECA8565180A89F1DF229874C093,SHA256=5B755744EF75429A4BEF19E1FE89405828CADB63082B672700057894F45C60D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.569{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_regsvr32_network_activity.yml.tmpMD5=56F06ABC10F6AF1834DF0831E83D42CD,SHA256=CBB905861225668250C6878466750C5C857EA04A730F69EBBFB3FCD2B5AF43D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.568{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\network_connection\orig--net_connection_win_susp_cmstp.yml.tmpMD5=551ED714450D302E3A16C154E39C590E,SHA256=41383DB549C611314F5971F1CE517BEAC2E974172F8A13F44A4EC23C2E92F814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.566{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\orig--create_stream_hash_susp_ip_domains.yml.tmpMD5=92BF5656983139A363EC78468AEDB506,SHA256=E10A0E3ACD83D6101C124B3D4633E0153038AF2FC5ABD3175A816EF7AB0B5908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.564{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\orig--create_stream_hash_hacktool_download.yml.tmpMD5=093BF8E520073F1135281C3F164C6EB4,SHA256=2486B71B4BE8A6D06E1DB3979C44CE899306C5F2E5C211F88FC6AC9CE3204979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.562{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\orig--create_stream_hash_susp_domain_ext_combo.yml.tmpMD5=5873CE0784BBF51F69D109EAE5EA6264,SHA256=E8CE7027E2A66E8E2A42C29B2C0146BA1BB12F5D441491C39F05A7E4B801BA84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.562{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\orig--create_stream_hash_ads_executable.yml.tmpMD5=6D0BE948915D4BB49B669BF4CAAF1CB8,SHA256=6CF4D13D9862401BD0204F0E939B9E4F9ACA471FA7A1DE39B293A69B8E55E4A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.560{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\orig--create_stream_hash_regedit_export_to_ads.yml.tmpMD5=38A5A458208DE22582F7F1D19A64D8C5,SHA256=A9AAC526BE7865D97ACD90CEA5CEB3B74BFC824AFF9815DAA1ACF7E4530A1507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.558{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\orig--create_stream_hash_susp_domain_ext_combo_med.yml.tmpMD5=0AA67967960584BF10669D4703758C28,SHA256=8BB3F7A71EA0C7DB819C6AEF43F00FB4A873B3B6D2DFD0B1084406EA7BCC1B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.556{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\create_stream_hash\orig--create_stream_hash_creation_internet_file.yml.tmpMD5=A5427D0326587D3DF80A7563801F7F05,SHA256=34E505D17A07734A021F0E151720CC3DC4D16EA0B5001C702B1F2FDF62B0FC88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.554{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_ufile_io.yml.tmpMD5=5A66A31A92F732918BE4F5D9DE0FFF72,SHA256=D69042500B092F72C6013DBB41EDA650CE6627DE711A499E8309DAB75106F8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.553{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_susp_ldap.yml.tmpMD5=ECDCB8982FA3D4BA37D97DD253A63433,SHA256=038E0F323507A61490DF1E64B295386FB6381ACDB477E5CF21779C32763DF959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.552{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_mega_nz.yml.tmpMD5=F300DE8EADD86E9A828712FCE1B0078F,SHA256=2EB1D6C78E54790CDCA571634972FE6440473197C9E7469CA18AE998A644A89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.551{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_anonymfiles_com.yml.tmpMD5=3F9579814AA9C5CAAE84375144D9578D,SHA256=9B6A533B5FE41F14F8B0F63D9FD10BEB2D3F8F449BEBE0BA2594054179B16590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.550{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_susp_ipify.yml.tmpMD5=C56A642B4A68462C6F8F551C8D39C105,SHA256=FDAFBF86EF536E682514BF60B308C3E3349C84A6C3086F7B60735240CE12387D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.549{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_hybridconnectionmgr_servicebus.yml.tmpMD5=942F35FCA82F68B50B5767AD55495818,SHA256=7D93AC5A44E7173428646673A7DED8AA585428B6B648083EC7C2960F5B7BD557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.548{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_tor_onion.yml.tmpMD5=A6EBCD2692F6517A7308582C17C8EC7D,SHA256=BEB1D1814998C4710CEADAFC801CBB8CD4D6747AB06E7C51EBD6003E1C76DBEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.545{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_remote_access_software_domains.yml.tmpMD5=B6825B70A7F51A64EE0EC908D1E9311F,SHA256=359BD7D9390F21FF83C36D4197DBA90B509B3E62102CBC5FF1798EEEFB68C8D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.544{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_susp_teamviewer.yml.tmpMD5=E87417B72BBF2A2930C90A712DCB0A89,SHA256=8B326568A1615F9978A9C356E2AC85519F6E1A44E4C5793B55864131BC8C9CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.542{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_lobas_appinstaller.yml.tmpMD5=E83C5104C63195E725663471DDFF4BE6,SHA256=FD5AC8FCEE341FFB7DCDF7F08FDB05956503B7FBB914C4F26846F09F5853D61D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.542{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_regsvr32_network_activity.yml.tmpMD5=DE835C856FEC6A108697832F7597CC16,SHA256=545039CF32BBEF67B311F219BBA18E116A5C5D1DEBE9A30808B0B40882C8AD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.541{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_possible_dns_rebinding.yml.tmpMD5=CE7CD35B87B288FD4377609CAF986AF4,SHA256=418645E3AFF331DF6AE59C24047D18BBBCD75012DDDA12A074B995BF6651A76A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.540{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\dns_query\orig--dns_query_win_mal_cobaltstrike.yml.tmpMD5=F5D8870C6BD4D663FB44A55D4C5E27E6,SHA256=8AE572344BF1447F322DA529A875FEC4A2CE6E51AD9B955AF857823B5A184670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.538{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\orig--registry_delete_mstsc_history_cleared.yml.tmpMD5=22DCEFBCCCAD17E75E7F3BF2126A1825,SHA256=B7488832182E861DEADFE9297BA44E6C765C6AC3AECD6F41B55E6AA3D0759EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.538{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\orig--registry_delete_removal_sd_value_scheduled_task_hide.yml.tmpMD5=DCF2BFE2AA9D738FE6A4EBAE9C9049E5,SHA256=7E1FFA49CD9A2E1B51BCDDB3F28D35A53AD07E65505EECB5ED248D571A5302FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.536{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\orig--registry_delete_removal_index_value_scheduled_task_hide.yml.tmpMD5=8E5A86328A8F939E78DF146FAB75C7B1,SHA256=8D08E197D111C04B6E1099165273810F9438D6D65BCD7BC17537FDCD9FF770EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.531{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\orig--registry_delete_removal_amsi_registry_key.yml.tmpMD5=F56FE7C2B76E854AEEF480ED7EDB62C6,SHA256=6FD1A224B97CE19D444DB4531FB6419558C763FD07153DFFF6AA56C953BFE987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.529{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\orig--registry_delete_removal_com_hijacking_registry_key.yml.tmpMD5=4557DCFA0099158447F5CAF732F874DB,SHA256=2986D61B35D3F1EBECD2BA5D6C719E757B11A0890FBBD37CED3C1E70CA29731A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.527{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_delete\orig--registry_delete_exploit_guard_protected_folders.yml.tmpMD5=6660D1C74E75A86165FC72E221C6D17B,SHA256=D95A5BEAEEBE6D17990EF7DF81B56021BD1CB672B6BB2612F0F81D93DE09459C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.526{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_sysinternals_eula_accepted.yml.tmpMD5=C59605CFB4E3254D2E4DCCA0D5AA01A5,SHA256=885939D9C7B969D8BA3DC93E07C2396EBD01316A96EBA2152EB72DDDBE48CF13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.525{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_set_disk_cleanup_handler_new_entry_persistence.yml.tmpMD5=C9EF47CE1AAEA651A6F529924358DFCF,SHA256=73CD41BAD25D5719D5456D3694C6D4CF422BF3023CAA871F63833AC11F0CEC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.523{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_mal_ursnif.yml.tmpMD5=F254E3120E3576C55FE2BF6DF0013044,SHA256=94C1B5978711A09388EB18D453384A27E73FFABBCDF129C99568BBBE4EB52450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.523{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_sysinternals_sdelete_registry_keys.yml.tmpMD5=055B1D901D9348115DEA9B3857B02D74,SHA256=DD0C485544DACAAB17443DFFA7163F7697E7617E3A66BCA555376555168401D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.521{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_persistence_key_linking.yml.tmpMD5=7C49D0851BC50AE92B0A7D6CCBB4FFE7,SHA256=1B45DAE2A11CAC9F94658829753A2437C20D6F921943E25F0197B1B37F899D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.520{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_amsi_providers_persistence.yml.tmpMD5=6D4F39E2A3902B9E5AEA6DE1DC5F24F3,SHA256=8E00BE625FD2730FEFAB4F680E0FB083D8308DB4C0C327C816242103ABC17AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.519{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_mal_netwire.yml.tmpMD5=A8552B5A52F2179FE0904D49E63D31BA,SHA256=BB8D4B341CFC27A67BC0D0727C8B199FB49F4B3B432F06F8B50AFF2E812D8884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.517{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_susp_sysinternals_eula_accepted.yml.tmpMD5=53571F4887B35DC78EB80E21F0F222D0,SHA256=F00FFABD26B8BE657C82B722CF9D9AC83CEC46B3ADF83BC25C3120FAAB63BA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.515{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_renamed_sysinternals_eula_accepted.yml.tmpMD5=DBF6122D0F958962F011E8603EF2C181,SHA256=2D3F9B1B748917D82A62F2C8397625C8A13267F0C6A39D92BDB74AC8842F6514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.514{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_add\orig--registry_add_logon_scripts_userinitmprlogonscript_reg.yml.tmpMD5=DCEA372DE1929A1A3B5616226E541EDC,SHA256=49C0655B35633EB5B3F3C48FE1B5B5C3B12AF74209855AD2D30DB70B3F0C0DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.513{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_susp_atbroker_change.yml.tmpMD5=18F6D76B2AE9D02AAD74ABB020ED8DDD,SHA256=86D00E80018330110513C1F1A5686852E62B3301BCEFEEF07292DCED3366FF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.511{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_mal_flowcloud.yml.tmpMD5=1661D0D543627ECE085E8B8D745D7F77,SHA256=0F81706BB1C23AF688AA7771A1DA203DE65C7DC72A1359F2EFE0B38152938207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.509{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_runkey_winekey.yml.tmpMD5=B19FBE214E21BF14AB23C9CA79080812,SHA256=72FDAD74C135D81BFFFDD3F7A882C0D1D01A1F1080B4B6845FD1BEBCA62FA987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.508{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_office_test_regadd.yml.tmpMD5=E967E33FBACA4692B1EED16FF1DC0850,SHA256=AFF8C85D18E66F5A6155C6107C6444FF7BD6E2BF608FC59B1B83DB3BE8020DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.507{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_disable_security_events_logging_adding_reg_key_minint.yml.tmpMD5=3E7B9DAC62BDF5928BBD737FB45CC137,SHA256=80B43774B0086A9F4D4D429AB5DB39D493AD9BC6A0F909878105A72753E026B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.506{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_esentutl_volume_shadow_copy_service_keys.yml.tmpMD5=94395B50B2B9DF9E317564D9058050FE,SHA256=8B59421A4E30E7392CE1AEF2A9CACF2D984A97514B8AFD32CBB31D3B98385D6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.505{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_modify_screensaver_binary_path.yml.tmpMD5=1DB918B90C4BB7FDC89E5BEBA8BC215A,SHA256=B482BE6087DB9BD62160954BEC21288AFB8A06E2978F292C63C29C9C3019539E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.504{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_bypass_via_wsreset.yml.tmpMD5=E926CB187A611A104605E10E0B865339,SHA256=1F8E94B47645B9E47F233D54FC4B878D494E4AB3C12D204AAAA6967BA267BA52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.503{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_redmimicry_winnti_reg.yml.tmpMD5=CDC70795AB341B9C20706E4DC48FEC6B,SHA256=38A2C964EB768440FA71142B798BE47D3E9D02DA302933E4BE440FCF7E8E1860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.502{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_susp_download_run_key.yml.tmpMD5=5D5735B0709192EEEF5C3AF0BD0C965F,SHA256=4B6C317EC18906FD244B45676952324409A866EF10D37622F4A78FEEE3503936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.501{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_apt_chafer_mar18.yml.tmpMD5=61C90639B31641E0299DF5B3B5072D13,SHA256=EAAB80B5656B016A00F904D48C94B9116DCDEBB1D7AC158E55F6B9C30C7F331A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.500{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_new_dll_added_to_appcertdlls_registry_key.yml.tmpMD5=F20558461C312E9AFFDC409CD2BDDADE,SHA256=A885528031AE609123F0C8C14438BF10A40A7021B8B4B5772279CCB9FD42757B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.499{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_silentprocessexit_lsass.yml.tmpMD5=8736617E6ED0F231689DD77EF44BDC11,SHA256=3C9506C698DFB3FDFFDF5AA94C2B1C339BC1423EBFC302CCBD831219D716F7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.497{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_trust_record_modification.yml.tmpMD5=BB6B29C65A50BF42B1E596CAB0372104,SHA256=22670430EF3EB31B4B9319581167A9A8C0EC8BC4415FFC8AA0564964DA149692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.495{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_cmstp_execution_by_registry.yml.tmpMD5=88DB0AD45634569B280AC9DEBD2A0DCD,SHA256=22E623A6CE934C25EBA3CE5E1A3A17E236812BCDB2E4606D4BE06F377AF3342C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.494{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_net_ntlm_downgrade.yml.tmpMD5=2C203BDBCD61AE3F1E35114D2B965575,SHA256=D6AAAD4CF15F9E05C57735BC9C6DBCADD603D4F4C1C6EC3C08B880E65A597623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.489{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_stickykey_like_backdoor.yml.tmpMD5=82F1CC97527424E29662AD8012FF8AB5,SHA256=66980C9C1B1DAE5FE2FD5644EF88C63810687141829167C0EC0C40AFCB975B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.488{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_apt_pandemic.yml.tmpMD5=C0F8902BF15D37071CF069B0BC2D5E1D,SHA256=4DEA1789B934CEC05E43AAAC527A66F819BBFD75E19F616867AFADCD416E332F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.487{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_mal_azorult.yml.tmpMD5=C684B65A78B4B07FC88AD5CA45C0FBC0,SHA256=7AB20614A6B1D819EA7995360A9CB34F28CE9EEC4AC742BA96A8E11E19F4067E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.486{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_persistence_recycle_bin.yml.tmpMD5=05B102781853B5FF2B8808C4C232A501,SHA256=434356F899907FE7BAF7669947FE2B666EED52F52151D096E5CEBEFB012D15BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.485{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_shell_open_keys_manipulation.yml.tmpMD5=1BCD825A9424C72722839C0E62900D34,SHA256=7AEAE5B308AF9B94CBBCC271E7911FC9D9BCBD2F22632ED00934E35819AB5848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.483{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_hybridconnectionmgr_svc_installation.yml.tmpMD5=841C72F2B2BFEE54B52896DCC432813D,SHA256=0A26E65053B80DC0B57BF411E162B212FF6C660BC9C7FFD0D0E004C59B0D990B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.483{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_new_dll_added_to_appinit_dlls_registry_key.yml.tmpMD5=2E4DCC924E2155BCFE811A7F833E82AA,SHA256=BACCDA394CFBEDD8B95A88B4C0EE75E1960F124BA494C20D4F1E488CA2EF1109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.482{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_portproxy_registry_key.yml.tmpMD5=C392788DB05B3E22A6AF7FA9826AA5E6,SHA256=C728CBE73F176D2F6370E1AC63A309E5BA16B9B1C9272256B0E63AB65282190F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.480{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_susp_mic_cam_access.yml.tmpMD5=36BB422E2427143335B4639D3654F433,SHA256=0E4CF443570FA1D3740C718BFBAE628A43182432BC19212C8F8775B585E0DFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.479{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_disable_wdigest_credential_guard.yml.tmpMD5=9958B2491B45DA9B742D393E3FA54696,SHA256=B9B0AF5BE2FFAB69340DE896B7D1021B320454E0D87F018A44E1C51C7E0E5521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.471{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_narrator_feedback_persistance.yml.tmpMD5=6E534303FA0E0E1FF90F20333CCE04FB,SHA256=2A52A992FF68131720E0754FE4CAEF156EBC9E11F1CB3576FE644C02FA74EB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.468{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_apt_oceanlotus_registry.yml.tmpMD5=627A66F9D3F7180FFE15EE5E7FE3FB06,SHA256=543252F6E3E5FEBE1B85E98CF73028E435497A256869DC9FB8D5FFA2D54143E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.467{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_runonce_persistence.yml.tmpMD5=46638A6445C47D1041A23C2AF40D0204,SHA256=2F1BB15F48B889039DA697F6C4F44A3689C56763BBBB354A80CEC72231EC015A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.464{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_mimikatz_printernightmare.yml.tmpMD5=122D91FA69BB91047FC5DB6B9CBD29A9,SHA256=F5348C2AE48D9CB596C93AC15E5EF3DA0D54B5671C32216D1CB2906AF7EFEEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.462{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_hack_wce_reg.yml.tmpMD5=F59A902B2F881075B4DE5BB2192D930B,SHA256=D2D42C24C541FE431C93EE2D136634F2B18268109C4D5216756F27B3BE024E13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.460{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_ssp_added_lsa_config.yml.tmpMD5=572044DC5EB177DBD2DD9F0B4FA9A548,SHA256=DE851B1D93719E3E71B4C1432A8F9A20723323D0CBFC5A20DEE9C1D05211673D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.460{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_add_local_hidden_user.yml.tmpMD5=F240E825CA4E62E5C86C5498D24CF1E3,SHA256=ADD53B3B34CCD1C1A86B191881420B51D35C8426B5E7454BED85D5867EFD5F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.458{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_susp_lsass_dll_load.yml.tmpMD5=29F74AA9A82177C8CDC9A8BADC1322DC,SHA256=C6A0A435EA77508DFDE0FC20A7011EA5BC285555E9E778EB87A4F8C87E99BAC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.455{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_event\orig--registry_event_apt_leviathan.yml.tmpMD5=71A1191691E576383C6CF21C62EF960F,SHA256=E54CC36AFE69077434A7DA8925D131F0C12C9F62359F143F1C2B2A7C96EB466E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.454{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_suppress_defender_notifications.yml.tmpMD5=5DD4DFF3F9748D642B8F9FF473119633,SHA256=33850F3A9531C2460F23145FCFB153C03D115B37E6A8FB480D98D1BBD21203B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.452{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_creation_service_susp_folder.yml.tmpMD5=5B6E9BCE9634E6F721B1DDE350AB94D2,SHA256=F4D46065EB4336AC48179E3991938136423D16118158FF2DE9675F1AB9BF2371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.450{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_mal_adwind.yml.tmpMD5=5011A53605751B9EE8F36FE40B01696E,SHA256=DCAE39D3AA85F796CE466FB86D87B286739258DBA3F1ECB2D7C95603B5960E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.449{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_persistence_appx_debugger.yml.tmpMD5=55623FAA08FBAB00EE43357B15333F57,SHA256=BE072A2E43D848882F60195ABA8F344985259A77D825EB3E8A740CA88422BAF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.447{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_currentversion.yml.tmpMD5=008E17A19C8B24318217007E28E30959,SHA256=323BB38EBF8A387EE10035203E08A6822AD96FD1F5359F75E09B507736A766F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.445{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_comhijack_sdclt.yml.tmpMD5=A62CD9644BB05FCBF8DA0DCA1817B358,SHA256=0726FC247B3E7815483BA2AAB5F75DEFDE1B1ADF439AF70DC2A6CEF2AB2F79A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.443{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_change_winevt_channelaccess.yml.tmpMD5=66AA01D90E613BA9E209450468F451D9,SHA256=81BA069CC1F4CD7BD30EF91FD13D3DE10EBEE3249F618B96F9FA3C62DDA3A06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.441{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_timeproviders_dllname.yml.tmpMD5=42D6516C1E810D6C850B51F92990B2D8,SHA256=FCBCEEAF22853450017212C956F6AA3F17176D73B406B7296C00866C7909D963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.439{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_servicedll_hijack.yml.tmpMD5=317F0DE66D4A0887E6B4DACEBC8332E7,SHA256=75EDB4C6AA1564810F8ED6C5B693FB51F0145B2A83C95CE07B983727F7608987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.438{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_fax_change_service_user.yml.tmpMD5=4AAE703940286896EF8EF58A8B88AF80,SHA256=4991B66F5B2DF0D62644A0B239C6E901D0562E0EAD428665F1AEBF72DB61FEF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.437{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_hide_file.yml.tmpMD5=6915DC33F3F3DEA65574BB6521C46E73,SHA256=C644FA8AB3A53293EE47162E4F553E8C6E675ADA0A68B08928C2DCBD011D86BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.436{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml.tmpMD5=4E53FA98F5A431B67099BFE63FB445F6,SHA256=AF47019255811BDA3878B839E778727DDF02B39462A8E268400978E7D19EDD40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.435{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_susp_keyboard_layout_load.yml.tmpMD5=CA0FC0A6E0F1FB1FD8C31FFBF22E3D82,SHA256=36C9C29767D003E7696951B2307A7F0E62222A9E6CD9FB1FE2934D9D5989F526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.434{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_outlook_security.yml.tmpMD5=A299D9605B20351645E90D3C5446748B,SHA256=F154923357D5CAC288ADABD11DA42299F4F9B08EAC133D327EEC774E56B00434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.425{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_system_scripts.yml.tmpMD5=3F77D625C3C10100BD44E3F20B02212A,SHA256=A2B16AA2153232DC964240AA4124B196A570DA53ABEDD52C6E2461514FB1482E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.418{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_hidden_extention.yml.tmpMD5=BE4C4B3A456BC5D5C121F09D78E95214,SHA256=895448144A756BB94881FCA7CAE1F2122B6A618E3DAD834445CD3F12AF911FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.417{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_hide_function_user.yml.tmpMD5=2AF6EC630B558630C2501004718500E8,SHA256=5C7C02B36FDEAB1ADD9FC2E0064C0A105444B24D00CD12D6611418A090E9F9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.416{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_register_custom_protocol_handler.yml.tmpMD5=E4EEEFB98BFA64CE4BCD6A0422373BA2,SHA256=0EA56D66BD1585D3CE845F8E53BED78CE9CA48E7689F1ED898147F599024ADD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.414{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disabled_pua_protection_on_microsoft_defender.yml.tmpMD5=14578B5D1747C95EAA1864F6CC412A63,SHA256=EBC188C391F9B6DEF45F7F3291F26B73D7DAC6BE78117231427CD386723313FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.412{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_macroruntimescanscope.yml.tmpMD5=C36D3770C8F8DF3B9C82A64FC1378358,SHA256=49A95EF2750A244B3D7730394ACA7A2FEDCA99CD4BFAACE6EAEDE78B774C7A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.410{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_dhcp_calloutdll.yml.tmpMD5=D095F306223862C46A7ADD36F0BA7424,SHA256=16A7D26F40186E5E86152902928137E4B0183CE2F9FE367000E7E17A82690FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.408{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_outlook_registry_todaypage.yml.tmpMD5=D2CB386CE823492133F17030F0D8218C,SHA256=99A09A473830F769C0FA535CAD045174243CD154F7214DB346B0F6588F1E3C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.407{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disabled_tamper_protection_on_microsoft_defender.yml.tmpMD5=EEF9A02C9D1E0CAA6683BFA2F0F3200E,SHA256=55CA989BB96497E4DD264E2E8C11FDE12C4F4E9C5B3CD42A03E9ECC24E9549B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.406{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_office_enable_dde.yml.tmpMD5=6E37CA908ECF5A82BA308A33ACB03297,SHA256=FF3F7B74BDA729B1ED4EA7CEE458A549A4EAD87784BC52EC5444EBE5671999B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.404{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_outlook_registry_webview.yml.tmpMD5=63C91266C8CEE118630846DD49973181,SHA256=91F0B11E57B2E23865319CEC1DB06AE6B39733373B024CB2EF4D036AC249278A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.403{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_file_association_exefile.yml.tmpMD5=24FD15DF8107FA8172A4DB70D8D93E0A,SHA256=4EE95226E4419B524FB68F17CF50F9D667D0F1FE388F07D799B0343F6942E3F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.402{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_cve_2022_30190_msdt_follina.yml.tmpMD5=CAD99B3BF2DE2712F286B8DCA734E8C9,SHA256=2E90E5FBD8684C77DC87FFE645E8E9502C7FDEE9DB5965D54CB13110C41BA6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.402{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_sip_persistence.yml.tmpMD5=E08550F172024044CD9D65F9777F7930,SHA256=0FDB3DC4FD38E4D03BFFFCD44535CA9B5C8EC70229CE115C39BAB993C1840919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.400{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_change_rdp_port.yml.tmpMD5=6B66422987A8C90AAE1F15817D7D6DE5,SHA256=B2B27510015A632041B9BCBE43E0D60557223B8A3350FDEFD4358B42B6DA8FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.398{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_persistence_com_hijacking_susp_locations.yml.tmpMD5=1896F61B5219188AFA45BF9EC84C2F69,SHA256=77B83864EEB309EECD87D4BF2335FD9944220158C0B6EA7D1AA1F716A42211AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.396{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_powershell_as_service.yml.tmpMD5=1E470039583AA520960187462F4CC221,SHA256=12BE84A51E0F4091C2C03BB10EE7C39F17AB321ACEC302A4CA7E3DB0BEEC1C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.395{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_lsa_extension_persistence.yml.tmpMD5=F369A2D4C863CDA4AF36344DB8F096F3,SHA256=C4E8EA94C4A914D89C6FBEA93CB7AEF160304F3EFB9F1979CA722685F18A4CC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.395{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_net_cli_ngenassemblyusagelog.yml.tmpMD5=E8FF25221A24110FA38E4880FA5462B9,SHA256=87F6BFD49C0E67C7F43985FDBFF952D08E8A09C147ECDA98F92B1C8F3AEFF509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.394{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_fax_dll_persistance.yml.tmpMD5=D43068B9E087C9393683773D4B156BE2,SHA256=C8A0A486F37DC37319C48E2DF8BEB3784F925851447A3EC1568FE7EB4A74BE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.394{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_set_nopolicies_user.yml.tmpMD5=54A3B51BEF958CF1290700BC4BE732C5,SHA256=9AF14A63C1212F763963D33CD2D58438A577E6B61C6A0064357C357D0698D4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.392{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_winlogon_notify_key.yml.tmpMD5=28F8FC630BA198EFE6E43AB99B153127,SHA256=D3608487CECFCED8F2694B3DC6324AE1455967E5BA1BB3B57F55F40B77A080B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.392{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_function_user.yml.tmpMD5=3A96E926333828F2DCD00422F75FBC16,SHA256=85743350DB7772396D723BFD9227C2D3A4836AF829E72CF537A73B6BE94D07B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.390{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disallowrun_execution.yml.tmpMD5=9BF3F5917D4D6544EEEA107E00C4BFED,SHA256=254161C4CB138C20785A02C303C0E52947845B2D46F167402BC0167989238F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.389{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_wow6432node_classes.yml.tmpMD5=7273BF2CAB4678103D632EC46C552F25,SHA256=401CB3C408947516A859AA18F05EB9E21C7074E4678BDC4385F1466BB6F3807F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.388{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_common.yml.tmpMD5=547A2FC075D3B0DFFDF1B19EE2485D4C,SHA256=A70322CB8DD123035BE600953B83F2675FB0243A715CEC232EA3A44D5AE5BA68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.387{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_persistence_search_order.yml.tmpMD5=7C7A34758A073620D841952A74B18B79,SHA256=47711E4409A882C0342A71C742E0F6EDB91D5BBBAB108D325B1B55B74EB575C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.385{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_add_port_monitor.yml.tmpMD5=4F7E51EE52E6E91ACD1EE0CFBDC24829,SHA256=E4672A051BB58ACC568A6363713ECC026C0C13577A4C7D84E385A2023C347244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.385{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_windows_defender_tamper.yml.tmpMD5=CDBBDB2F1CA026EDD45130BEABFF695D,SHA256=68A2AAEAEEFB532179238EE287337636F950C8CD44B0D7BB0CCC14027A7F32BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.383{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_aedebug_persistence.yml.tmpMD5=430C52ED6D02E4ABCF49ECD4D9D055E8,SHA256=92799509591C31A8D2B02846ED70D20B579CB4B46760E529406FBBFE31360A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.382{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_ie_persistence.yml.tmpMD5=BE4710E15613575F990A5F9E71312BEA,SHA256=1D105C44ECBFF0062DF189079A08222F7E5D3576A4257440F805154487226C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.381{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_autologger_sessions.yml.tmpMD5=ABE5985EEF77CEB36B55113B056017FA,SHA256=09F2A60DACC697918E27030EF1973F190FD6FE5E3FA804ABD1B771347E119CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.379{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_policies_associations_tamper.yml.tmpMD5=5E3BF00521DDFAADA319BECC35D286EC,SHA256=64E0A18E0CBB55C642B5FDB18807B66AC82824B1A77457295CCE60785AB39A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.377{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_office.yml.tmpMD5=C9DC1A02E7CFC820163337988DB2002C,SHA256=3CACE77AB0F2AE8707059E029731B2F605212822D4E4FEAF49BC89509E488523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.375{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_windows_defender_service.yml.tmpMD5=709AD31E40011456DC6F405FBCBB21F9,SHA256=9F31B34E2B574E1E870677ED4D658AA3A38AAF74CC626900ABBD8FB818C51559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.373{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_add_hidden_user.yml.tmpMD5=A662A57141DAD2BE7899A4E3D6DF3689,SHA256=668FF4541C56E154117F9146E8F446602C801EFE6858152CE1818D9BFB870544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.372{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_dns_serverlevelplugindll.yml.tmpMD5=99A1135C749DE19283E2160EE72615EC,SHA256=273D844BDE79F40F974E9024349580276B84392D21AA886E67B9EB3DE7B31E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.371{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_enabling_cor_profiler_env_variables.yml.tmpMD5=2E3A39DABCCDDC378B8CDA8735AAF4A2,SHA256=1B74FD2204C27A0AC7D92F4798CCE81D9EC2764656D5C393141E9783F99349A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.370{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_defender_exclusions.yml.tmpMD5=2595648C76C6930717E54937536E0DC5,SHA256=FC83540BAFEE482B41B7930735F1F113BD10C9E306B06B0917D8661375410E99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.368{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_uac_bypass_wmp.yml.tmpMD5=ED2B0F0B8AA33A42E551D3780AD67EDA,SHA256=9BF0157DF7218FFA8378BE5F44C5C1C469F627D73941FE1A3E1E2C1D4527F3ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.366{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_outlook_c2_registry_key.yml.tmpMD5=DEA891F79BE89C5653762D5CB0F29129,SHA256=232998D9D14114BFA7A0CE4FF1163320003A8C7587EAA42DB3A934A5223A5E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.365{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_security_center_notifications.yml.tmpMD5=E8E97D0E797F03B055C5D12B827AD81B,SHA256=E24741B755169FF236154D8ECDF06C8E98D044F3ABC85C74962ECBA152DFD076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.363{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_session_manager.yml.tmpMD5=18D8DAB39CA4E4D6DE6876F7046F8EE5,SHA256=406F7B66810CCC7CC1E9D4ECE739405DF1D4B41D38D282100A446F5982F320D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.360{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_uac_bypass_eventvwr.yml.tmpMD5=613BD4FDFE11D81F71045ACA08ABE9BC,SHA256=8FA143DF7B94EAE295C983BCA472ED15B4F6D44F331D8F29BE9DE82B03357971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.360{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCEB7638D0AA7F3D84F19C4B774B7AD5,SHA256=633FA7EAB52D51ABA21EDE096B3B878505248FD716F31AE641AC8B4DAD309596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.355{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_cve_2021_31979_cve_2021_33771_exploits.yml.tmpMD5=E9ED8AA2B0EEC60EF991AE1BC8258321,SHA256=6140EEA8F2D98B1D17C2B5C62D9CA2F43D4D1FC2F34E3E09C66226FACB2494AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.236{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_creation_service_uncommon_folder.yml.tmpMD5=FDA3586562ACDE30089774B7CB1B2436,SHA256=AAADDBE0F7720F526FCC38E80FC061C7750E55F19074BE3C571BF3D90803FF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.235{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_custom_file_open_handler_powershell_execution.yml.tmpMD5=4649DCC9CC99FFBDD15D9E3F7E36AD2C,SHA256=CFD7E94F08CE9E410884B08EC6650764C512F844C520F9303C3B64A293A04DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.234{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_hangs_debugger_persistence.yml.tmpMD5=2D57D7965125BFDE7C6A95DB564D1B9A,SHA256=CF14307C13B1FE6B17A6CAE5975576D04BF498B83FC42A77A1213E220C7B8D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.233{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_globalflags_persistence.yml.tmpMD5=CD9C6E0558AFC9CCAFF5719B8E3FF9D7,SHA256=224FF74B5E24493895CA1951A15E48038C8AEF9B0EF34C7AB7C322DE0C44C1FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.231{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_microsoft_office_security_features.yml.tmpMD5=494D9C031CCEE28F624BB316B7283808,SHA256=837FD1999B4DC7AF66A52A0FF2B84DA3B8ADA32DDB6C7E3131BF4C6CA0A234A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.228{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_currentversion_nt.yml.tmpMD5=1F898F2D087865BF79FE0565D9316BCD,SHA256=F7C07DD6338CC74A4CA5051BF61E768078491977DBED0F50EF2C3D343A4AD443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.226{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_enabling_turnoffcheck.yml.tmpMD5=CF561EBEF9D851DBD056314550D7D9DB,SHA256=006CE44F0AEE7255CFB9861960313EF1921D3FF3CE08A69A4E8D91F5E15BAFD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.225{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_treatas_persistence.yml.tmpMD5=4CF8AA72154EB9767BD731756C64FEF2,SHA256=DF8BBFECAB392DBB93FA14EF62DEE1213F52C2EA367752A50CC58667B1D917A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.225{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_silentprocessexit.yml.tmpMD5=D8CB5DF7E51C979E9C152EA596EC76EC,SHA256=3CEBEFDC0071FD6A8FB7C5B0C8EEF437830F3A75A2781469AC99624A8C3C71EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.223{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_policies_attachments_tamper.yml.tmpMD5=32FD4D6BA20FE69D48AA7503749A3BC9,SHA256=D4331E253E644BB95EB6CD227A879B9FE0289DB1EBC256A947890512C977BD81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.221{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_uac_bypass_sdclt.yml.tmpMD5=347363063B96BA5F6E6025D2C2E66A91,SHA256=64913A1C00F31343BE2C14748DBCD18E0B26BD4EE293A166B19B7FED58878519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.219{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_special_accounts.yml.tmpMD5=3CF3E2C499015813A53EB9E1F0483854,SHA256=0EB65B344652DEC4780A76C1C411E9538F8B41A0C713C5073B0DB54B86BBB7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.217{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_windows_firewall.yml.tmpMD5=9CF2BD2FB2F5990E7286844C7ACF14E0,SHA256=FAF0E35F7305C05494E5B665663855FA40DDFF1BB417F7B6283B5CB54C46D37D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.217{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml.tmpMD5=BB7FDA4C883774D773D45890C9C7518E,SHA256=ABE125B1C55B2A1EBE6E3F7F4725E784E812EEA027302AC131275CC22F5AEB80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.215{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_susp_app_paths_persistence.yml.tmpMD5=6B6FCBE4154F8C88811FBE3854480F34,SHA256=50CC8250A01A2FA2B9EB3D00B78E4121BF4092538668BB4BCAE0E05928E54AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.213{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_ifilter_persistence.yml.tmpMD5=05339796C004DBCC8019005E3E4CCF2E,SHA256=56CBD8B75595A86947F22EB1F94BC2631E533782B5E76861ED03FF6CC00F6DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.212{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_wdigest_enable_uselogoncredential.yml.tmpMD5=D46643D2311EDB3DBA257543F9AE12A2,SHA256=59E855C7C315FA565107DC331D31F2773F640940CAB1AA019A8949061A7CA77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.211{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_terminal_server_tampering.yml.tmpMD5=B569B6DB9089AFB79CA513A44BEB746A,SHA256=CFEEFA4125F60808487EE1D5757DF76F88E3EB575053F16A9BCDE01C4537ECFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.210{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_add_load_service_in_safe_mode.yml.tmpMD5=6EF5FCD48D5D832722D9B564A73A2E57,SHA256=174A8DAD46E9DBC4E344D79A4A614ABFABF592BD24F622F4010B0E10D537D89A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.204{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_winsock2.yml.tmpMD5=0CE1F01432F24BB109433E37801817DE,SHA256=94CC075B689B1834E27898B6F5EB5FC68A5FCEEA249690532470E85C0258CBB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.202{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_susp_run_key_img_folder.yml.tmpMD5=129FA54E34EA260BA82275B5BC23A830,SHA256=1458D079300D5F3891F08942623B904208DB0F4DA48874F23E4EB4EB3CF9068C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.200{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_change_sysmon_driver_altitude.yml.tmpMD5=17DC8E53CA7C72FBE1CEB879F4F1C0B5,SHA256=844C2BFA095CD71F4318AA1DA64AA4F73F23D47F433A384C20A467FCB02B303A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.199{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_bypass_uac_using_silentcleanup_task.yml.tmpMD5=8FC987DAE0C8E0B5087BEF48F0A7788D,SHA256=A3F7F38F9AF819DFD625B81A69972B652A2B6198243E5A98C4BD378D960ADEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.198{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_winlogon_allow_multiple_tssessions.yml.tmpMD5=DA47F1DDA2BCCB75B0B33D387437F1CD,SHA256=98D5ACE9D7E874E6594673FB54939CD59D77402A1F08F67D72EBA48938C4DACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.197{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_persistence_typed_paths.yml.tmpMD5=848027EF0D1C20C80E86C0E132A87D8F,SHA256=416B413188C154B5696F139DBC7710B667F5A973A508F2C505BEF1379FE14E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.195{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_persistence_mycomputer.yml.tmpMD5=9341E6A3F1CC124731F5C9788CD01B90,SHA256=9FA6A9B10237DF67D104B7B15526ED469FCB5B232680A50C9625E8AF2F2925E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.195{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_mal_blue_mockingbird.yml.tmpMD5=8D1EF80F9F3D905570BA8FBBCAB3E856,SHA256=41D0377BF08418BDFB199F4034A865672F772F6DD645E908B0787125BAEF284D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.194{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disk_cleanup_handler_autorun_persistence.yml.tmpMD5=1CC6D986F666B38B66012C942A71BC85,SHA256=2BE13C4D651AB3C88207577A14641E8124CE73C742EC7E4C3C7BFD3B9FD6D4F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.192{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_winevt_logging.yml.tmpMD5=B2FB7708443C649C1B9AF58E9D73BA4E,SHA256=D12C2D6F9D6D000B0D14741C562ED132C37FE570FC28500C5331A088C50BAB74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.191{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_uac_bypass_winsat.yml.tmpMD5=C34E7C07321028565AD580EDD6F72CFC,SHA256=5E264DC07A23271DFA5D9D7A9D518AC10DA60A5FEDC4F7647232E1F9677E88EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.190{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_etw_disabled.yml.tmpMD5=870D887B2D469175D228379A6B62C457,SHA256=3724B70E9A6F6F88CF8CFB93C3077CDE0210488F7F2929925252708F15DF899D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.187{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_internet_explorer.yml.tmpMD5=BE385F914DD6106205CB0A7C8D4F71E8,SHA256=B6DB84580EC32336B9655FE2099EC07EB3C18D891009FF316FABC45329310F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.186{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_susp_user_shell_folders.yml.tmpMD5=69AF9BDCE25558B5EB130B4F59A20D25,SHA256=39793D2AC87B331F910A4B85D00A203FCF518DB1B4CDEDCC99D49F9876E141D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.186{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_terminal_server_suspicious.yml.tmpMD5=2C7BF198374179DD91548E89151201C7,SHA256=E4B85D31D137153C0F4C60FAE146532A787AA89DEDCAAC55A1E0ECFB3B98283A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.184{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_abusing_windows_telemetry_for_persistence.yml.tmpMD5=0F6DC949036CA6ACA8A36B6FAC9E4FD8,SHA256=30DF115FCD73DA3746CAABA93E50C15DAE414592A311341C9BB49F3589AA69FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.182{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_susp_printer_driver.yml.tmpMD5=7CB1F3170C9A562D160826E05E1DB227,SHA256=0A19FF5E0119D4970BCE76CB8FC27908E1B891746925388547D1720005BA83CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.181{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_persistence_autodial_dll.yml.tmpMD5=E2670C68D6D4D1F3BA3FC4D6BF9D96E7,SHA256=9FF5C358CA33442BC493B7EAD4591DE4378CB6199214214E241B33C9E7D7EB3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.179{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_hhctrl_persistence.yml.tmpMD5=6BCBBFD0F35F9B3BB002DEA8B9EF0B86,SHA256=2556A006E3AB6CAC4867506843B00A80FE37957AF1869829D2B01D143A25B99A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.177{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disabled_microsoft_defender_eventlog.yml.tmpMD5=FB2E14DDF3ECE62BBA80BFD8A1348976,SHA256=8197AE42BC075DA07F438562C47DD621C0540FA4A6C639DF18E890E0A43A1FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.175{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_bypass_uac_using_eventviewer.yml.tmpMD5=F9E3A7851A88D603621AE1BE836FFC05,SHA256=C75912A5AB0ECA7E77CAEA8FB74600BA205CAECFF98810A1AE615DB67F084B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.173{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_install_root_or_ca_certificat.yml.tmpMD5=77C79E5C04EE4F9F39A5665764C02BEE,SHA256=F97B6975D6584511789FC87DB770A76F44D13CB210309A42DCD61C39A9B8660C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.171{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_classes.yml.tmpMD5=A3C09B4D623F2C53D720740D5EBEE069,SHA256=A90C2F7E6806AA44AB0F04A7A66611FA6355A8AA2BA4805E8537217872C455A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.169{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--regsitry_set_natural_language_persistence.yml.tmpMD5=B0D367A119E88A3B5D5B2AE27E1DAEE6,SHA256=ACD60AC6F744CA5B1BAF78D18C75A82B79C82B02150F2526E5977BF756C54A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.168{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_susp_service_installed.yml.tmpMD5=7B02BC7D5B8ABCB333B3145BE9FA16F8,SHA256=630BB9D573F566C247E0795F0FBE7683C5576867A48A0F11E4CAE98B3715D86A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.167{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_hide_scheduled_task_via_index_tamper.yml.tmpMD5=68E6597D20A829F562ABB6162E9D9001,SHA256=8B1733FF0A80472C5E053BAF03CF027C673EA2FCBCAF3616ED747BC0E7469AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.165{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_new_network_provider.yml.tmpMD5=E3BA22CB82661C32AD708289D52681A2,SHA256=E2B727BF280C36F81E4BF73C83A966147B3482F28C863050675ABFB9792BD8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.162{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_taskcache_entry.yml.tmpMD5=04122705D901EEBE658E421D680D7B25,SHA256=4E7F658FC8379E6C5D3F7F650053537C8F001CD7BEBBE564FEAC9A2A9C31980B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.161{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_vbs_payload_stored.yml.tmpMD5=4F0E316D81856C40B7425E7B7B55876A,SHA256=5BB589081989B4B7E86DC58575AB05C31BB264659F0B2AB702B0621902C72F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.159{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_shim_databases_persistence.yml.tmpMD5=5C7CE9E64ACDB4A2347BC26228B91A20,SHA256=D053E3628CB9514C74813AE03524962FCB8F06AA7AC5CB826D2D5359FF34F767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.158{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_administrative_share.yml.tmpMD5=50437EDC000331F6C7256679CA3DBCCA,SHA256=0134DC41CDEFB22B6C706088D3B3342BADBEF692443A4191FDE27D085BD91297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.153{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_scrobj_dll_persistence.yml.tmpMD5=8B98C798EA1E9F90551439C1CC60CD3A,SHA256=4D41F291C882CC908699BF5498F396AE83431B78FA6721B878D993FA1D50276B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.151{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_privacy_settings_experience.yml.tmpMD5=9DBFB9D1895219B75AD7B0711080E8D5,SHA256=93674B6D2CEF2EC4F9E53C7F17EDA4F29BFCD47AC46B90AE9368D7A82FF790DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.145{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_telemetry_persistence.yml.tmpMD5=D2C6B170E92AB33E518968B55E2B0FCE,SHA256=D9DFC2CB871987F06E9A53C5998B212CDCB2B7F8ECEC8B1466FBF7F69A64F828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.144{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_renamed_sysinternals_eula_accepted.yml.tmpMD5=969EAEDB41E0ABD8CE861077FE4325EB,SHA256=02704A069B0E2DCD8556D85035977416961FA70B50BC10AE1AFE918D0D69E868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.142{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_uac_registry.yml.tmpMD5=A4B669D2C910759F81217238A571F4BD,SHA256=55725712A14A4BB24576C66C3E0B5475DE432DB3340251890FF1011C7912048D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.140{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_bypass_uac_using_delegateexecute.yml.tmpMD5=D1F9E4055665600B51D0DBA730855227,SHA256=D03813737E6772C8D4E42758CE7F4DC801B7424A25482D54B5F3B02BB183F352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.139{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_lolbin_onedrivestandaloneupdater.yml.tmpMD5=A8FE2685466DB73F99B9E2ED7B529737,SHA256=65CD603E33510E239950A0937FE7F7F7B6097190FEC0E6A322FDE3F94317E542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.137{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_office_security.yml.tmpMD5=D42B8C6F0C6AD5D9E7C394C32782EBD4,SHA256=065F589852C204B41CD6EBDE96356CA6855332BDD8B61F7A5E3BAE6F1F5ADD1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.134{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_dbgmanageddebugger_persistence.yml.tmpMD5=EDA0A9BF58263F00D0B36C971670C73A,SHA256=B4AC1692771216467D880140B8BD738A6FB58591B434638A2FBFDAC0AB51CFC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.134{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_office_vsto_persistence.yml.tmpMD5=1A1A0764EBC2DE6308B1B7031CC9DD60,SHA256=B436DAA6A53572E2B4499CA15B71BF38F77524C4F9762FF9E3AE347F29DC173A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.132{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_change_security_zones.yml.tmpMD5=E91BAEEFF7FC484B1E153EBDE8795A48,SHA256=1919DFE21F75C2A32B1AA804D5B8DDD1F7BAFB43FA6EE43671CB984B81DC03CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.131{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_scr_file_executed_by_rundll32.yml.tmpMD5=B79E544C0ED9E7409569AA54E0F5D69C,SHA256=F1DA0E4732D0796AF8BF68CBD727600A6E9E1BE41F5005B90A4DBB79787887D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.130{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_new_application_appcompat.yml.tmpMD5=00B7C31B9EDF89F7EA07603694A8F855,SHA256=D9EECE383EA55B2097A82E791D6316B248FBBDBD53E24941641AC391D1F3A7B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.128{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_crashdump_disabled.yml.tmpMD5=A614B70C7046DC706FA992214EA249E3,SHA256=CBB6FD961EECC9DD516CA7F990CBB0D1610090201CCBA62DF0C19F28A15C54C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.126{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_defender_firewall.yml.tmpMD5=703D1A16933C4957C104B92195C36114,SHA256=1C62E811238CBC47E8BE7A9F48B6BEC06967A85329EFED2B50D538CD7190FD63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.124{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_sophos_av_tamaper.yml.tmpMD5=4F2ECE8A98B38FF3D16988521FF1B471,SHA256=37B2DA0031AAD9C9DCD92467AE8AC75547102662E2469AC26A5C59FC1C2E6DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.123{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_asep_reg_keys_modification_currentcontrolset.yml.tmpMD5=DD178DF0D6568E4A31B4375C67A1E555,SHA256=5A7896F5DC5A46A5B471F21AEB63D961C3F56BE67830AEDFE6C4046AB82CCB6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.122{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_disable_system_restore.yml.tmpMD5=3B91340D4F671229E0E54D0830E8EC10,SHA256=CBB1B386D4DDBBB586DEE18B3AA9CB53F40EF7CBA92656B8F2616A2245D499F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.120{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_chm_persistence.yml.tmpMD5=97E537C9CBBB39A088A74DD9C20985DF,SHA256=CBE16C24AEBE91AE7DE69D7F4C16588CBAB56397AF349091EFE3CFC4531F5960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.118{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_chrome_extension.yml.tmpMD5=EEC725A6BF17073F76AB19F343F7F659,SHA256=8CB717271EBED5267330794E1DE37A43AA1F30524F43B075EBF6E574204A8AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.117{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_allow_rdp_remote_assistance_feature.yml.tmpMD5=F5097A5416EB5C794B3B54FCC1103479,SHA256=52B6EA8A396E1E1F489C6854E76F717A85E1092B278D1435B0F53E77A7BF9C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.115{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_cobaltstrike_service_installs.yml.tmpMD5=C0F30FE9AD747F605EC548729AB3FBBD,SHA256=E5256A86E5C5646C87D5E1A3BEF1B9964B9F4D1F9A668356C20AEA856B22CC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.113{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_cve_2020_1048_new_printer_port.yml.tmpMD5=3F75524E3F41FEEC342ABED9579F92BD,SHA256=7533B0D24940674EF046D87F5FA593BF6B84E08DBEA5ABDD2CF769C6C30C8DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.111{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_mpnotify_persistence.yml.tmpMD5=AE93A814E81D8A5DED48ED6DAD36C20F,SHA256=1C4A0081A628351333D07F3AAFA647ED52C8F4D6713CA77CDC170F1D1CCF69F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.107{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_blackbyte_ransomware.yml.tmpMD5=53818DD0CB867B00722CA280624EA4FD,SHA256=41747AB26E94DB49D02943F7D4F77BFEC82B7029BC48ADDDF847E01746E7F5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.105{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_dns_over_https_enabled.yml.tmpMD5=EED44846A93624715F0E80391B67C522,SHA256=9FD8F8FCF7870D96C793D4F50B731576453C2C4FEF86DF88535070A0D13F9E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.103{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_powershell_logging_disabled.yml.tmpMD5=0E9E21E970E1408D067B83831026AAAE,SHA256=5E1FFF9D7780B95D257BB847A4B1AAED713CD3F83FB27E6F0CC9E20241B4E5BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.101{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_exploit_guard_susp_allowed_apps.yml.tmpMD5=38F819A96194B3102E967CB2631F6ED5,SHA256=4D53B2EE9109D1251F7FE7592140C4E916F125E06966BCA2DEC045F6A5F212EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.099{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_susp_reg_persist_explorer_run.yml.tmpMD5=F0E211250C9281F459CC62D6A63F41EF,SHA256=13BAE81D37F2573AF7C98481F303F666F39894A189553B09ACA6B7CC0B35B9A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.098{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_powershell_in_run_keys.yml.tmpMD5=39DD95714FEFA39C3A9B7A2C8FB64251,SHA256=E50A6083387F4D8E187A399C72320659ED1B1CB7F1FA2909F94896F86CE1EE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.095{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A47F1297EFB8D91538ED058C75C884,SHA256=06FB41DD29B4F00D3CA59E3273978CE6D7A704C88BEED058E3A1CB55A9786401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:34.095{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\registry\registry_set\orig--registry_set_wab_dllpath_reg_change.yml.tmpMD5=87F1FB6ED09336C3075AB04F705918F9,SHA256=D64EFA08826170379D801EF1421B436939687DFF804CCDA04E96351D93E18F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:35.224{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905DB8AE300D51E8FC2585AFAB5E65B3,SHA256=F8CFD887A16FA90ECBEC69F0C29595E901CF7C7A9E1351F1402047C9A811523E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.998{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_renamed_powershell.yml.tmpMD5=6DD4822C97708D30BC87CFEA6A2CD86B,SHA256=12AE06E980235A807E90744E1370A1B2CC8A77D81849D024BF8BAD99A258719C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.995{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_powercat.yml.tmpMD5=C8024FB5C5F41A930137CEEEBFEFE3A4,SHA256=0607F05742B5CFE7ECB094BE3A62964A27C135ACCACD111E0F149E225D93A9A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.993{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_delete_volume_shadow_copies.yml.tmpMD5=1A53C9165F5BE756CDFBD1116C2324F0,SHA256=08E600068676DBD8472808F2D03448E55D7317EDB7E30B071BFEB2C8CBF7B49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.991{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_tamper_with_windows_defender.yml.tmpMD5=3167C4A2A2C71D82E4CC319956BD56F7,SHA256=DEC3C2FB9646779A9B5FB612A26DBFEE552A53BBF13C1B7EFAD3C0E674E3BF05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.990{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_remote_powershell_session.yml.tmpMD5=238F7F55A7CB4AA52D6A2EFE2C03A390,SHA256=C0014F942B1EE8555D79A20A2E40A75C619DCDED9646C7ABCABFE34F7872BE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.988{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_susp_get_nettcpconnection.yml.tmpMD5=B48B2EF6660528574D636C44C31EB7E8,SHA256=AAE1FF726ABC0BB3293634A8A5D761F0FCDF9CADD298FBD389BD927D33926982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.985{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_downgrade_attack.yml.tmpMD5=EE2E3132894036D8BBECFDADBCE71CB5,SHA256=FB29ED8F80890F18F2D0415B0231E2E082AA84C3A53CDB3FD1811D9E0549ABF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.983{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_susp_download.yml.tmpMD5=4FE9AF5497D2C83F091338948F4B1FB5,SHA256=DC1D7D40BE18CDACB01900B36D7E90E1A7F21A08820E01A4C6309E36182C1929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.983{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE0E47A9B6C4D44CC35FFF6DA713C24,SHA256=BC4EDCFB3ED77F9F236B83AB016FFFFF933F384663C7341EAA373D434ADB9AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.981{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_susp_zip_compress.yml.tmpMD5=7B9A44CC9AFF159343E620CD7C95414C,SHA256=32C6444EEBF3E5F755AE5D1338816BB05C85533C4D0ABFB8F13C763BDCC37A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.979{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_susp_athremotefxvgpudisablementcommand.yml.tmpMD5=4918178557F57D4DA8FC2D05096F25D7,SHA256=546753A3243C9B8794FDBCF2EA325AC4CDECF4D14669695C388070D9F155B145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.976{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_xor_commandline.yml.tmpMD5=B8407DFA2A1A1B66B620F3F8A70730AF,SHA256=F2110B0BC2BBBFCCD43462E486BBA826C2BDA9DB482AC597D642D5A36B0AF1DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.975{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_wsman_com_provider_no_powershell.yml.tmpMD5=3C1D2467D8CDF47A564B71A962A8D8EF,SHA256=483085DF15500849F4844036EEB231A9DEF6D89FA9957B95FFF172879DE4FDAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.972{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_clear_eventlog.yml.tmpMD5=BD367E9C14D5F1310432B5E5E69F365D,SHA256=276CE2F4838DBE90EAD74DD17E3A19A71B54B21552BE89F5523FDA5F2157A419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.971{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_file_and_directory_discovery.yml.tmpMD5=8A2BB9737B1AE294149AB52D58A317B6,SHA256=35D2F7BCF15542650C669E9B4461401EEFB8D6A6ECEC20236D9989B913324524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.967{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_cl_mutexverifiers_lolscript_count.yml.tmpMD5=9011046F5C098F8814D0C97FF132D54B,SHA256=FE579F90950B721F5B8ADF57734FB88B502AE29ABABCF535C95A926126569342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.966{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_etw_trace_evasion.yml.tmpMD5=2DEE1CCAC035EF7DCC5435AA64DEFA02,SHA256=95888A9F746F3F349EB28E27A5B9EF6D03CC3CB177F5A2D02DE8D06233D7986A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.965{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_adrecon_execution.yml.tmpMD5=57B3B1BBFEE63BEECAC238003525BAFF,SHA256=8BC6D4608E20E2AE9F04BA0DFF705A1261895A0BAA8B1C256CAAC2ADFC905E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.962{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_malicious_commandlets.yml.tmpMD5=8FA58E17A41EDA0931D2B46B59938F23,SHA256=FB0AAD64C7D2EB48CB13B99BA65F511E3DA42BFEC6891C4819922073CFBEE4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.961{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_proxy_scripts.yml.tmpMD5=A3550D9327E9F88DE7D0BAFFDBC13D39,SHA256=39FCB0D7B2CC92FA42E94A9B81984B87E30321CA7D98CCEB8EC00397B87F342A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.960{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_get_childitem_bookmarks.yml.tmpMD5=27AD75BC0CDA4AB672EFFC8486F030A4,SHA256=6080A6612A64AFA7E60832A7AFA9DA79F37E237482F76D8820411B1C6E049153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.959{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_recon_export.yml.tmpMD5=232D9FB96EF5C89BF3CDDA895A175BDD,SHA256=6A909ED68CAA769B5AB774F087CF47C29D85B6893419296DDBBE85B3E7654B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.955{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_keywords.yml.tmpMD5=D2F91BE2906090D362738B074316DB05,SHA256=FA81712BFC4DB52CC5A62082355741420E4215F460B73F7B985DDD618B90A795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.953{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_automated_collection.yml.tmpMD5=8AC0B2C51A4E379BD630C1EEB1A88C13,SHA256=28C533BF954AAE0CDAAF7A0EDB8B652338237906D308294705829EA0AF66A838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.952{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_remote_session_creation.yml.tmpMD5=85F9458B8B2D7C9DDBA35D8C893BE926,SHA256=695FBB856CF82C8683C8C2A17079E40E116BCD1275E9962905E731789DFF3C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.950{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_obfuscated_iex.yml.tmpMD5=D4AAD7A632F33B039B4DB723896CC7EA,SHA256=1FF62DD1DEEA95AB1BFD224354D2999C03BB28B3E4867BB12B8879FBF9A1437D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.948{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_trigger_profiles.yml.tmpMD5=3A4591A14463EB931D07A48C8D1AA524,SHA256=BFC6D749D7C87B9E8AA0B11385DEC5F5060D410A8F83DED9C8428B7264A78E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.948{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_capture_screenshots.yml.tmpMD5=3FB77D7A630F762A2D698A3D6438BEC0,SHA256=E0BF80DBAC381AF2502EC98217FD2BAC4F8FFACCDD834927738D9C3AB926E5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.946{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_get_addefaultdomainpasswordpolicy.yml.tmpMD5=45738AAD4764C6C6AAFB8CC161C4B2FE,SHA256=2640F61FBBB3038A6EDF5140393A53E2CB90533EEDF43E7700E7ED63DE2961FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.945{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_wallpaper.yml.tmpMD5=9317E218F2C19335BF8C63BC36B98111,SHA256=05D488EA4461E006A15EC585175528FCC40F8D5596CF6AA2579DAD81E6DA92AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.944{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_via_use_clip.yml.tmpMD5=AEF1688EBFF72B2106E0405DD8B21022,SHA256=D6D5F683F63EA246C7C5206C7966DF631E445118B7858616F1A683DE044FDD4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.942{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_modify_group_policy_settings.yml.tmpMD5=800059B4C711D2BDAD9608D0B79CAB5D,SHA256=61A52B8651967297B26269AF626915D7B1E47D683EE99D6F72EED323433ADB47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.940{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_service_dacl_modification_set_service.yml.tmpMD5=85DB91D3E06C98E17A0AC064AFE2D69C,SHA256=35BC074183922C243292BBD7EF98563620DB6591ACB314CBB78D0203E360AB0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.939{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_command_remote.yml.tmpMD5=CC3EEF8056A155F43FD1EB24CEEAD2F2,SHA256=F48E3758BA4C20206B80CE1F3EAE5F481FA469E0DC92EE602F7AD058186566D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.938{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_via_use_mhsta.yml.tmpMD5=0E8BB20E5FBA5B8DA67DBE1A70DFC85F,SHA256=300CC8F4D0B43A8D08C0D33284139F7C1C4BBB4ED69345A561380C332782E7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.935{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_test_netconnection.yml.tmpMD5=0F98B8EFF90182684A429726D36CF174,SHA256=A6F4E3501F85F9EDEB6082F9CD942979DDE2913B00C45A36605913E96219ADE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.935{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_request_kerberos_ticket.yml.tmpMD5=E407DE4F6687AA268185F6871F1293C8,SHA256=42D7AED67DA900CBC244698A5C46685BBE37784088F6F40133ABD20E0809F655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.933{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_remove_item_path.yml.tmpMD5=DD769BC1C7830758799E25BC4C99B15B,SHA256=321AA5920675DAE9952B5BF2A191BF6A40FACEE46E3851252F358583EE233A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.933{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_malicious_keywords.yml.tmpMD5=29707C1B439DDAD3096695E8F30F2596,SHA256=7D4FE315E5A225A1FB12941A840D5E6BE43BB3774872A92466C10A7991E6834A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.931{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_disable_psreadline_command_history.yml.tmpMD5=3AE40686395EC56A16D29FECFDAEF4DA,SHA256=BBC444B4CE2EC7CDB6EE6A2A879D198483F1E4942CE2AF3E87509DDC2B7C3849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.928{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_get_gpo.yml.tmpMD5=A2C1BF18C6CC304DCE44A8577FDA2372,SHA256=626BF3C5557AF10B9164EFDA9345D68D4086E3D6629EC2D4ABE929702A964E99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.928{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_invocation_generic.yml.tmpMD5=218D182FD1FD1011406097BE558D1E5E,SHA256=A32D78C5C918B9BBE2645CDEACD6EAEA5A1E9646F21DB4A299ED7D5CE1997456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.925{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_win32_shadowcopy.yml.tmpMD5=7E79C0E544CD7E7785E853A17685D0E6,SHA256=D5E337E12F1699371E2D82EFFB73BF958B418BB604548F220B3029D7AB7C65E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.924{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_clip.yml.tmpMD5=A2D17BC08813E15E1EE7C78EEDD84D60,SHA256=2315CF09286237DE6DA3DBDB573358CE5FEF7EB3E32C52682BD57F305C95B459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.923{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_via_var.yml.tmpMD5=772CF42EBD428415FAFA2F96321A03AB,SHA256=D47AE36DC8C1C78164FE2867C5392ECF517BB1E55CDD84FA6F7A1265918F1FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.915{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_data_compressed.yml.tmpMD5=2928CDEE8D85B4D2DE0034E87800B360,SHA256=239D1CFB9606B9937B579AFECE57E9B94D7FB2F3EB5CB6EEAAABA7F714EFB09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.910{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_create_volume_shadow_copy.yml.tmpMD5=7D5293F78DDAC71716DDFD79A15D3874,SHA256=B86391027149639CEBDC5A8399ADA83E3D74F4B915944729481300D979197ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.907{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_syncappvpublishingserver_exe.yml.tmpMD5=56A6B650D5A28A3487656A4308217782,SHA256=39A5B5EB692AECA4883A12892199613C25FE1681C5D931B5C77F42C9F1DB8476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.906{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_msxml_com.yml.tmpMD5=DA68F511D860BCEE8A850C5DC0D9E4A8,SHA256=246BD329CB255461E85C54037F2284BB8A5A2097AB12883691CF692680C647C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.904{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_exchange_mailbox_smpt_forwarding_rule.yml.tmpMD5=6F4C19BA3760B48CB2120B4B0618A873,SHA256=528E92E1CBD523D08531844C953F237881D279BC74CEF55E0ED511AD66F3AFC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.899{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_amsi_bypass_pattern_nov22.yml.tmpMD5=0922DA3249B9000C4D109FCF6A97D482,SHA256=86C025636CD39820AD2ED245B0A3EEA7860C796603BC5A20A16AF138EE01800F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.898{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_wmi_unquoted_service_search.yml.tmpMD5=FFF3EB09F4F5B58E2B9407D34BEB3B03,SHA256=1990DAC376675A5FAB9EF43E2A0102D8F069CCEDE11251B78A238433049D6355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.896{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_copy_item_system_directory.yml.tmpMD5=D19EF46ADBCEF921AE81377CA79764E7,SHA256=0D0E26C619A8D19457173E0586093299FFF5FC7544F903249FA0DEDCEF32374B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.893{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_mailboxexport_share.yml.tmpMD5=02286498FB8AFD55C42B8994835F17B2,SHA256=9E58862543B0959F46F65AF18B1DED98108672C0D7EC39926C4BDC68EFCACBF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.892{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_ssl_keyword.yml.tmpMD5=AAB0B38A211714E3744113BDD4579772,SHA256=3DFDAE7BC39662132AE8F21231CED40632728736F520F33B84953B30FE7E6B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.890{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_timestomp.yml.tmpMD5=B5502299CB1CD9B0A6C3FF62684F1B5A,SHA256=9D9C07B725951A9783B5B70B0132CAC47F258CA4B542C948CE83D71B7F55A3F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.888{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_nishang_malicious_commandlets.yml.tmpMD5=26E258F54DA31946A5E2C3DE9177AB10,SHA256=9349A776DBB06626090A3434BA992C71AFB699640AD7AF0D8BFD02C6E09DF1E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.887{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_directory_enum.yml.tmpMD5=8EA2732DD79175D5C8D6AD0EE08DBFB5,SHA256=564DF12D48DE7C2E986B13DD01A5A6F94F919649E28FA8C3679E68ABDEC0017B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.886{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_networkcredential.yml.tmpMD5=6187F609F3D99E4816ADFC8AD1841ABF,SHA256=8EF2F046BF23219C0240186C8629FCF82F4CF66EC731F1969799FE203938DAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.885{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_cor_profiler.yml.tmpMD5=15F049CB8C2983FA7909246F929869C5,SHA256=45B7E0F5FDBE91C92F830C47A468BC990DF865E32E9DDF97DDC1B3FB259EFE81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.883{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_detect_vm_env.yml.tmpMD5=A977E2C3013F2723143F0799BFDABA75,SHA256=96AF0FA503EBCDBFA5DCDE8EF9AC130E59C7798E3E65207516A1888433CC680A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.882{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_xml_iex.yml.tmpMD5=60B691149B609E3DAF94B3E31DBBD531,SHA256=6DBF2E6E01EE269DE1E66765F4F3126788407797B9981B0DD1A6A8CFBF91390A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.880{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_powerview_malicious_commandlets.yml.tmpMD5=C81B7246AC2E51186D7887F7E2CC6DA2,SHA256=B59869149A94528877D2573596BE651DB990793DFE036CFE303C54F9B6A2BDBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.879{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_cl_invocation_lolscript.yml.tmpMD5=BE22112124EB43A21AE0528A90AFE1CB,SHA256=5CAF4BCC859774A595A01C9864FF3654560C9844098B3018A69E02E48AFBC2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.877{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_windowstyle.yml.tmpMD5=15C4E13008DECBF459ACB6A0C4880AC7,SHA256=CB4C09C6415C75E8FEA666057C4F551D408A08E77063F82E4F790422B199CF52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.874{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_disable_windowsoptionalfeature.yml.tmpMD5=F6ABA8D51440DE40963E893070C0C77F,SHA256=2F57A403532597F5A1C75C3790BE3C4E88555F52A781C8A42B78A8689E22032A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.874{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_azurehound_commands.yml.tmpMD5=1A547110B7DE9AEC1304CB75A245BFEC,SHA256=9F0C36D3FAE90676E6E406A62C6568364517E8072CFFC757D5A697B9899ED968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.873{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_via_use_rundll32.yml.tmpMD5=3321DBD4922E0696F043667930F67348,SHA256=030D9FD72614EFDE858FB9938FF33CA2B434836910B29C4E4396ABB5524B259A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.871{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_store_file_in_alternate_data_stream.yml.tmpMD5=96BA8BC7A12859F515BD23E5B20E10CF,SHA256=61E85ED24BB691E1B094B24D848F58AF4994F442DB9F02DF7021BAF2CF0B5635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.869{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_dnsexfiltration.yml.tmpMD5=D9964B44FDAA800901306A8B14306FD7,SHA256=DCA678E27EBF9F6A06F8755A30834BAD0D55AA8025B63172E04EDDEF8D379878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.868{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_gettypefromclsid.yml.tmpMD5=47E14C4436CFB7AFAE035DF1D7087851,SHA256=2E0593B2CDD62D0A89A43084497B985C128A4BF9240D41E423CAB3A70F33BB41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.866{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_var.yml.tmpMD5=330F7E83AEE6DA7F854765E3B146F2D9,SHA256=B0EDCFF279F53F4332BED4DFAF695A9A432F0F3453F52010DAA380A210077D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.863{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_enable_psremoting.yml.tmpMD5=8F90FA0FAFAB3CB11E7095C6D286F1DC,SHA256=EE2994B423EB0E55113180255FE3194E5D7056889B3AD152C4C1EA41650A72CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.862{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_dump_password_windows_credential_manager.yml.tmpMD5=4919495971839423381002A5E9322470,SHA256=F1C2F0F6E5861CAE1BF13C093DFED8EE506C7AE14C17583E3580ABAC190DF630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.859{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_unblock_file.yml.tmpMD5=27CAC940E646A2B8E47A3B4678E0AE37,SHA256=6D7681697BAB95061E3D9884C571C7F58A0B75B2D34A9398CE6FC8322F34DDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.859{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_using_set_service_to_hide_services.yml.tmpMD5=E3535B6F35B35F91C0710631E9F96E11,SHA256=D99386B068AFCE36FDFC802E1BA26C2FB934B621300CA0DCB5E7E8FAB0949D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.857{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_via_stdin.yml.tmpMD5=5F63BCFDE50029B31D84404E5E797C1E,SHA256=04C7D0A5319C1044C114454D8A0605E2E912F2D60F3DE90133E53464CCEE1FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.857{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_win_defender_exclusions_added.yml.tmpMD5=783F570A130948D12E464E23B0DAC370,SHA256=46EB1F5DEEB760D904F8048B02F8B3E7D1458D2CCA5582AFD9DDF607C2BC2961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.855{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_apt_silence_eda.yml.tmpMD5=AE84D9B2B662FB5EFB3EE376978D7E25,SHA256=9D60D3FC51621B3D10F687C50C91DF17764C09C5971455DA363DD48D8E4D5615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.854{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_localuser.yml.tmpMD5=C0033146CD4BF544AE6C20C8A64117F4,SHA256=597BA7A4FCF5BF59F3824920F0AC8ED2FD8526CF2CD0BAAB304A63220FD9A8F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.852{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_write_eventlog.yml.tmpMD5=07960639851BFF2D93E52CF286893028,SHA256=D3A5E2A730F718C6FA7802C924129C20D9BB9EAB950099233811856AC358607E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.849{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_mail_acces.yml.tmpMD5=5D06905498F22A172448677FF94914F1,SHA256=B64FBA670C715DCC7208ED8D19F62C315AD5F08DCF156D4BD5558912356F9565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.847{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_get_adcomputer.yml.tmpMD5=A7E5797F577798034125307B73D0617C,SHA256=21073E55811F69A64170D2AB3C02FF6F932CCC350B11EF697929C6514C2F768E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.846{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_potential_invoke_mimikatz.yml.tmpMD5=2FA88A97719917619E919EAC6D36AA96,SHA256=058D52F5FA504D77ABFE60B35470F330CF28DBE003627B094A00AA78C300F743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.845{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_get_adgroup.yml.tmpMD5=DC2B2FB6C1A9E8BDF8B2D4A0127E9732,SHA256=57CBA6891E8CF196527B60F43B9CB1213C3C0B4EDD1AEC98E8EC3172200504F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.842{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_follina_execution.yml.tmpMD5=C884B49E80480D396C9EC3ECACA782ED,SHA256=06CCD7CBDF52F2EF3473CE127EB17E2F1DDBD5ECD9CF9AEB16B06ED55561E4C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.840{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_clearing_windows_console_history.yml.tmpMD5=E639090DF15BEE481B10032D4C61D54B,SHA256=75EF9F7DBF052AC27CE8977C3D5D39D16872D9576BBE039CCC650BBD70267D25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.839{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C441EDE089E51D9E9F868D72D0908B42,SHA256=0A342DCD9A6230CA54EA09C11E05F7F480326328CFA057236518BFFF2E58C0FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.838{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_ad_group_reco.yml.tmpMD5=65FC30B3A1CAF9358DB9A6708C94FA81,SHA256=C368386CB9E2163845BC510A72EDC0D9BD51E0607F119FC5132672484C5A6163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.837{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_mounted_share_deletion.yml.tmpMD5=A51D79A0B575F5E9B65740FF8B390248,SHA256=88536AAB3727C3B603AF30B1D64670EB1DCE74526E8C8CB53E8B4065A28888B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.835{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_tamper_defender.yml.tmpMD5=6CE12B0529951FD93355B442A08404B6,SHA256=AB131EBAA485E07D9A7A02B454FB1BB081D3D50420E3F492CE8D5E8BE37F40DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.835{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_as_rep_roasting.yml.tmpMD5=EF709C2479774FA11F90DC019A0FC481,SHA256=5518F583BDE0C75BC0B9FF6F9F150C9F216643D12C4A28AAA33B25F16F522A2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.831{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_run_from_mount_diskimage.yml.tmpMD5=044E57F9F137F594FA9B0F98BE3778FC,SHA256=0E04CFC9A33EE8728916BBE2941CB975ABC9AB35AFFCAE0F051B45F6D04A2865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.828{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_get_adreplaccount.yml.tmpMD5=D3F914816C99C5F1441DB247ED74F238,SHA256=55E1E8B1B32EECD6EF6AF3904C6122B682D49BABBF11C3787985E91FA94CBAFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.826{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_upload.yml.tmpMD5=2B7E05B019FCFA64447ABBEF2120DB72,SHA256=52F87AB107B73D706B61866AA809EBF6D440D97B581A65BD861D3EDF461DA138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.825{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_computer_discovery_get_adcomputer.yml.tmpMD5=2FEDD019E504F1EE0B3895716B717B5A,SHA256=45541C0D7D72C4F1DB70049B4A526FD62D524B2FF78FDEF2606779EB48BC5AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.825{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_user_discovery_get_aduser.yml.tmpMD5=418380687955B50EAF0FABE0E2FCFD42,SHA256=B45B74EB8AAB4DAD1643B1BC88CCC348D981F2F67E681638D6ADCA38FFD33B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.823{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_psattack.yml.tmpMD5=737846F089BF86E7480BAC56D9181CE0,SHA256=176F0CEC136B808899C7979F3C016766737C66E3FE5A284AF64DFA9C72489C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.822{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_invocation_specific.yml.tmpMD5=87B18515F4627047DBA86049AB361443,SHA256=F06455D2A04915229F6E066597DC1AB41B99BB6B32987117E385F1DA18894DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.821{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_getprocess_lsass.yml.tmpMD5=8C6C8E1D3482100CAC538F3BF1C9797F,SHA256=AD4921CA4C18E83D0CF2E8200DEB5F32D20A34D4A9485895FA9DC885F5AC3601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.820{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_dnscat_execution.yml.tmpMD5=CB4B50FACC7861B812CDFA2276BE0FF0,SHA256=2ABD7DA9A25D0358238B15E2E4E6063B4B82460BA942002F6BC980F32DA94943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.818{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_software_discovery.yml.tmpMD5=E9E6A2D0347725F836EB6E462D6C65AC,SHA256=768DBD99E478A6CE3426479B7235C6263D2206E859754A5FBD2753608CCFEB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.816{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_remove_adgroupmember.yml.tmpMD5=9F4B7386B4B14CA87701BCCBDA4642B2,SHA256=89A1AA643497B79D649BDFE994B7667282E7FBB69DAB634C19FF44EDDEF87546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.816{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_web_request_cmd_and_cmdlets.yml.tmpMD5=98818980EEDE3F71B066E88E3CBA7E89,SHA256=A129138DFB3B895C351DF4E1379F5669D5DA863120CAD52D2CAFA259C8FF07D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.814{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_memorydump_getstoragediagnosticinfo.yml.tmpMD5=A04FD62BE8C66F1B39E180AA4D75D07A,SHA256=7F97D940ADCC991D80E4755D0560360294DE26B23B370C5BFC623DE64208ACC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.813{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_smb_share_reco.yml.tmpMD5=6D6B55EDDDABAF2B5AEE35B9424238F7,SHA256=9E9C0173C0BD3EE1F85916B44A36791006006DBCA01DE2BD7FB3FF05B180C296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.811{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_execute_batch_script.yml.tmpMD5=E81C473055C93B80495F6AADFF938ED8,SHA256=D6778A7B538BE2BB54FB201B34E0A69388654BD72291B4CDD63B3038E6C4B33A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.810{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_win32_product_install_msi.yml.tmpMD5=B4C651A778DDF50CEBF816326764C707,SHA256=57D6483F110603182A409E1B2E7C13E04D0DFA453AC336B8AA21B41C575F3A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.808{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_cl_invocation_lolscript_count.yml.tmpMD5=7A2A43082C00A99E8CF0DB5B93B9B6E3,SHA256=80B05062088B3B4C953E111A3846A9430AA2E72D752352199C760F1939F0E699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.806{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_cmdlet_scheduled_task.yml.tmpMD5=05304009DF2DC6A7469A6822930E49CD,SHA256=15FA1C5DE569BEB6903623F2DE4BD9BE87E951AB1691A8F5A2C8F858201F0F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.804{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_import_module_susp_dirs.yml.tmpMD5=10D38AE3E7319C79157E2CF1BB5E97EB,SHA256=3A624EAE1CB0DF55E2FC1706C5C504450EC12F7B25623E0356673F80DEB9C715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.802{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_security_software_discovery.yml.tmpMD5=A53C177FF622F90AD3BDA28ACD7C7E78,SHA256=88CE81AA05230CDCB4B28C202EFF7F7C8007189A0AC318815F2664320945DA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.801{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_windows_firewall_profile_disabled.yml.tmpMD5=F9C6044CE0D2A833CA933E2417440820,SHA256=726402D5157752256B2E92405651ED8D2D61FD082DC7F42385F16C2C721CD4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.799{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_new_psdrive.yml.tmpMD5=C64710CD876E4F0B70B4182BE56428F2,SHA256=D03D2C8A86797EEE4EE4A701D08D32A3CF516AE9ED981D1EAC189760C6CC9299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.797{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_mount_diskimage.yml.tmpMD5=A957C1698212C3BDC5F714DDE34655C7,SHA256=6CFE4BA3094587D4D48AC1EE7F5E5AF72101602346864582D4CC80F66DEF11D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.796{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_via_rundll.yml.tmpMD5=A909653BC5EC0416915AD74EA0AAB691,SHA256=09535FF10456ECFCFC6EE730241A78092DA31EEDB35CD2FAD7129046C0BCE11F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.795{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_get_process.yml.tmpMD5=45375CCD400DA680A70660E9890D50BD,SHA256=9414EA9ED380A38146820B9D0DB649B64023F4927B48B7F76468A42E459DC6F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.794{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_via_compress.yml.tmpMD5=AC9CD57CC689C356560AA9363892BEA6,SHA256=85262C36CD6BB136FD47DDD1EDB4294057CFBE1DDB8457C0F15D30C73D811996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.791{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_zip_compress.yml.tmpMD5=5768978086A0431DCDE6839A549C8BBB,SHA256=EF268CB6990133208B7CF026927FF9BA2481B5C1322A25AE0B8C4CDE231F5172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.790{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_ntfs_ads_access.yml.tmpMD5=8C946E2C732832972A8121744F12178F,SHA256=B3F3490E071762F4CAFB7EDADE01AD054103125A04A077AAEE08453F9EB2F8FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.790{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_tamper_defender_remove_mppreference.yml.tmpMD5=0AED48AD2BF1414E282E13DAF11A1525,SHA256=C15D94BD8E1EE07BF11A9F612BF9C73B5B0CFEF37A3B56BFEA6D26F95AA92EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.789{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_start_process.yml.tmpMD5=5DEF4012D86EF49072920A1CB5A0EE6C,SHA256=C3B62C045D6C1BA2D0E066FADC826BA9E22603C7A0E447FA25F71C81D5229BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.787{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_icmp_exfiltration.yml.tmpMD5=7FC7AD8D7F0B5FCE54AABD4924A0DA60,SHA256=1A090719985CD7A6BE2256210F4DEE7057FC3A7223445F68D6C6ADF275499E82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.785{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_accessing_win_api.yml.tmpMD5=0D28E4474400C299507F85C2A00A2BC9,SHA256=B0BE64D339C401BC9453DA7878DD696F39FA751F68F4EEE82F8880B0D3D5B5BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.783{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_access_to_browser_login_data.yml.tmpMD5=B19DBECB3FF322EB11EE43EBE364C926,SHA256=E64256A37AEF05F05D17C93A0FFE31FF79E4A9D8E8EF1C92FEC236B76491C9AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.777{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_send_mailmessage.yml.tmpMD5=567A075E83530D27B20E1D72F422738B,SHA256=C6B4EF210310EAA2AB63243C79B10B70CC6ED456848A23C456B4DF3399901D73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.774{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_extracting.yml.tmpMD5=74F0C52438A4DD405EDC0C9E5ABD3107,SHA256=8EEBC2A2603CDD55BD7146110C9AD1914F1C1B6CCC45FFC1984953AA5F39C776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.772{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_psasyncshell.yml.tmpMD5=D699F8B1855EAB576E4CBED26A73ABE8,SHA256=1CB7DA0871DFB728808D5B8C6FF75A0CF50F3CB420D4BF1EE2BE4A225B96F339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.770{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_keylogging.yml.tmpMD5=71BB2D8D8C8E9DDAA025323311F9B24E,SHA256=62690E72BF0600D4FE876C79639313F823ADE123D6BE08A9EF2B89C653A46EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.768{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_enumerate_password_windows_credential_manager.yml.tmpMD5=803DDE130E1D19F52D37BC1BE7416D31,SHA256=21C010B66BB6FA32B9B20A0ABC51892B470CD8CD79CACC1FD0DA67399C25BE06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.766{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_sensitive_file_discovery.yml.tmpMD5=D6F164E7D1CE557795C2A31F1A235DDE,SHA256=0B71ECEB109DD2416253E688EF1029BAA029A09826A3B203D8094F682D4813A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.765{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_hyper_v_condlet.yml.tmpMD5=BE5039678FD811FABF9A554781A08C59,SHA256=235B5D6EE7C5134E4F4569E754D255BE972125263BD9BCC0CCF9034123B1C5F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.763{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_shellcode_b64.yml.tmpMD5=67B219FE884FDA8B7A97846046C9A74A,SHA256=DC0C55082B3BEF8C5B16D522EAB8A46101E9A4004D31FEEBEFF8E5DB32FFB864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.761{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_prompt_credentials.yml.tmpMD5=A5607F20E95F806CD5F41E1D810B42AE,SHA256=66A2EB2A1D89815DBD91BB507A7F798C96936AD711D7101BF0FE296F83F9069E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.759{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_local_group_reco.yml.tmpMD5=576B740E17FE8713A05F943497EE663F,SHA256=70B37BD4A2227ED6D4A3FA028BDE4B3989D62B10C4307767DB184C41A1F020A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.758{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_win32_shadowcopy_deletion.yml.tmpMD5=724AFCB8541B76BA48B37BC416C2E50E,SHA256=BF74F6CE79430B5F83090326919B87C804F651814788B2712C6B874593C7B86E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.756{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_shellintel_malicious_commandlets.yml.tmpMD5=7446986BAD5F0CA2827A3C05929BCD10,SHA256=08ECDD023953814C20AD185AFABA71C8BDE28A8F50BA87BCE1E7B24424B395D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.754{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_iofilestream.yml.tmpMD5=1BD508FB21114AEDA3B48C4403B7D63F,SHA256=17A03F6AC3C2D9D13C7B35A22FDEE319D013C048C04D363240717DD704F5039F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.752{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_wmimplant.yml.tmpMD5=1401C1FC1343D98450EA5D6521F761D4,SHA256=A91C50379BF141A7C6DD4E795086499A90B1D1A88B4A59744759C0EC82B92F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.751{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_get_current_user.yml.tmpMD5=686241498107F0E1E2280071524C6F0A,SHA256=1C9229696FD6B57BB0AE5ADD1FF19395A6962B79E09B1D196A9D97FED6F41F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.750{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_set_policies_to_unsecure_level.yml.tmpMD5=68898A29BC2B285ECE6B0C7EDE6FB2C9,SHA256=1B89168DD4EEC3D9A427AE40AD03345F806700D5FD61B7E639B25152F35BDABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.750{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_wmi_persistence.yml.tmpMD5=B8F5A2BBC03DAC99564A70B0A0D50DE7,SHA256=8ED958A6BD0EFC981515510CC437D751CCE0F49991270E445601038497E0A6E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.748{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_directoryservices_accountmanagement.yml.tmpMD5=8D1C50F79AAA9CB1FD3E16AD7CA4FE72,SHA256=DA4BF2550AA41D3E9C7103B0440C966763ADD0CFB65C9DDB6833DD1057BD5A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.746{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_export_pfxcertificate.yml.tmpMD5=993CC590B9A565099CA950A2A2C6BDC7,SHA256=2CC38118E99231B456ECB09AE0D3BB5BDED6773290A53C0E19CCA44ACAA53238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.745{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_cl_mutexverifiers_lolscript.yml.tmpMD5=D6A5836D39368F974A77D2DD0632092F,SHA256=683A197DF7AA42247F2D8580EFC2259D0140B81A8828ACA85B6E19BDECD4E112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.743{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_nightmare.yml.tmpMD5=BE808E671F23B33FE72E0EC9CDD107BE,SHA256=26F3EE8BF4DB9FAFBE9EB3472809EBD6CEB4CED0327818ACE0BAC4C87303BE15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.743{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_directorysearcher.yml.tmpMD5=32F45688BD2277D43AF9C5F4525A0149,SHA256=87887F2E6D51E9920E523F4212E30B29E068DAD00A0C96D5F8942352F5F6E65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.742{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_invoke_webrequest_useragent.yml.tmpMD5=A016F3AA2B644C5FC1C6A685677E97FE,SHA256=0C4B0AE7CCDB6AE86A7D05FE92DC71EC1DCC186E25276F0DCE5C51F764E6172B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.740{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_invoke_obfuscation_stdin.yml.tmpMD5=CE00859C35CB66CAD68E3534DF20B2D3,SHA256=7294D912CE2D958E469DE35B1DE408A62467B28968040358032F4FD222EB7B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.738{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_add_dnsclient_rule.yml.tmpMD5=C72B64A046B981324BD186467C64141A,SHA256=862D1605422D42A1B0E244F80AB6DDAD49EE6D4267CBAA157A26289D8B340D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.736{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_get_acl_service.yml.tmpMD5=BE3643F583688EA6756172439216029D,SHA256=DE1462B4D98669B74C501901E48B07FA49731DE75B9B3057CD4833114A08BD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.734{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_office_comobject_registerxll.yml.tmpMD5=F840B66AA814C41548DC94D52B773772,SHA256=CFCB6939692B350081AE5A15F38BDFC37088F52CA2D3EB2DD5E7D85199FFB84F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.731{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_root_certificate_installed.yml.tmpMD5=1A9D91A041987830DDB7B3CBE9F1FAF6,SHA256=DA33B9EA0CE1E2F00060ECA556BE6A7302CE89CB6EAD414F3E0085D2780AD6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.729{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_enable_windowsoptionalfeature.yml.tmpMD5=03D9932C156B0BFEA8D668606736365A,SHA256=95B0EEF10921812DFE9441B4BD101B752FF4F711B96BC81EF3CC9C4B1AA42923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.726{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_hotfix_enum.yml.tmpMD5=C109621621FC46A6718AB7DD18C4917D,SHA256=4C8DC5CAA1917F3D44779EAA759322EA42B358397F9E44B7DF437665F3E8F6D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.725{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_winlogon_helper_dll.yml.tmpMD5=78E9906BEB74B8A5AA3888D952F3AFA0,SHA256=07915234096B16955970F70EC403F5F162F97ABCE85774DF790B03C5DD9CA11A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.723{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_create_local_user.yml.tmpMD5=8ABB0C269594EA2546B10FB0B8A57D8E,SHA256=F7339CE2874D640A2B6A4AA42AA2C7F5CC8A41B1969D87ABCB13386413082B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.721{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_clear_powershell_history.yml.tmpMD5=025A0E1C2FBFA2137078B64E32CD695D,SHA256=3BECAED9F40223F204234D00FC0D179D6F37109B7EA5EFEBF62B7CF25802AC3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.720{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_download.yml.tmpMD5=F21A1C24E214C5CB814E0E97D5C8BEA2,SHA256=08060790E491B3759F74F59E11AE6690A82FAFE67728A72E8E03D39276E5DB12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.719{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_gwmi.yml.tmpMD5=2DF502B2A5A2CA058A185CC99504A0F5,SHA256=9E1C475040B6F51A4BDD099940A2911096E76348C0B82E65EC4732C0AD76DD60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.717{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\orig--posh_ps_susp_win32_pnpentity.yml.tmpMD5=FD985AB017E02DABBC166ECCA5C5FD7A,SHA256=5871FBB46694BE6CBB6F8617955569AC6111581794C1CC8E9DD38E05B1F09DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.715{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\wmi_event\orig--sysmon_wmi_event_subscription.yml.tmpMD5=425C0F70E968CB406551DF0928106712,SHA256=109EE567AC0C125E179D922D3AB241FED9AFA26CF49605A3430247A4889AAED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.714{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\wmi_event\orig--sysmon_wmi_susp_scripting.yml.tmpMD5=6C2D14AAED4FAE915FD956E5F8297D42,SHA256=0B689EA3E740422BC39470ED28AB26E623659A67FB21B56DE1296D45C21AB408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.712{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\wmi_event\orig--sysmon_wmi_susp_encoded_scripts.yml.tmpMD5=7812A0954ED494F61DA05190569ADC46,SHA256=878B1884FBB01926F5698B5F0995EA46DBE1675FB7058EB24F97A12AEF75E87B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.711{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\taskscheduler\orig--win_rare_schtask_creation.yml.tmpMD5=15F4BC84DB1D30F38CE605764A872863,SHA256=58124A91D3F795FA601C25CFD516A15C2FEA7F141A2E699D6DE64D22F6E8969C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.710{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_tamper_protection_trigger.yml.tmpMD5=A9AC8AB9C636C4896116D8613D730BAA,SHA256=8E7C9F5C70EB18F298AF8FDCA7E58B958A18FFBF84EDEEE8637D3D8442A9FC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.708{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_exclusions.yml.tmpMD5=A8DE7EE5BB7FD655B3FC30F0A2E8F979,SHA256=86FE900396D85F6A152943EEBBAFBCA6C13A3EC223B45C02271FA3C479753AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.707{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_alert_lsass_access.yml.tmpMD5=DD2707EFD989BBD59883082498BE37BE,SHA256=2B400C75C9465B3BBA6C1BD1C1C7466FABE1B0B2B6FA9CBF892E08F583B62855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.705{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_exploit_guard_tamper.yml.tmpMD5=D37BDF55E64381B69C0CB7A5FE2203B8,SHA256=ACB772A47E7912B68208F403291062A1A0AD56C196A069B34B282D70F8AC806F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.704{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D1B912E7FC193EBE7BDE4FC3A9BE6C,SHA256=EDB44527917AD782FDA02F6EAC0357DBB4DAF7EEC40B5FB37C1ACD6F6A83894B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.702{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_psexec_wmi_asr.yml.tmpMD5=FEA6879737F9CBB176AB915E811BA77A,SHA256=A391B5327B4155A5B579536F64699B99A492B62ADCD227EF23AA2319BE5E73B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.701{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_threat.yml.tmpMD5=331D07A4743969E81E875C93F837CF9A,SHA256=82F773590FC96DC3EE7D40F8F83011C8FD6FEA223464A9D8CDD06DBA1AC5D632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.700{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_history_delete.yml.tmpMD5=AD6D50B8EA0680F2D1BD6806B8B6898B,SHA256=5441661736D72F96E08DE246D96C64A5C54A39827C3691F00AC2D7A6A082AE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.699{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_disabled.yml.tmpMD5=FA8B496C3E21182342555DDF05A99A41,SHA256=06FFC3487097AC6B5381F779ABDC8ABB4DE167247468305542CFE1AB1D981D02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.697{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\windefend\orig--win_defender_amsi_trigger.yml.tmpMD5=DD5B862C950A4CCD2EAF26E0D210E38A,SHA256=FBC9CFB92A59FEBBCC9BD9248A215EA7A8C6599619AF56F12DC0F79255B1208F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.696{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\orig--win_bits_client_susp_domain.yml.tmpMD5=050C8BBFC8C16ADE6101397873FF98B2,SHA256=5CDBAF5B2DA5562951D8D6575337C07C57126B3FD2CA14B47640255589E28EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.694{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\orig--win_bits_client_susp_powershell_job.yml.tmpMD5=8C583E4FA9CD837C9C3DBCF63B80093D,SHA256=0674F3817C957C031BBAA1AFEB9CACCE61A75D010BBF1D2F3A23BAEB44E15200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.693{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7CB973ED3847BEE44336FEA827FD9FF,SHA256=2A87D53AF1A6D5E8E1F6AAB40AD8885E1B2360560290FD8B8A5A394129FB82CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.692{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\orig--win_bits_client_susp_local_file.yml.tmpMD5=227DC062F26DE360BB2A52E3905460DE,SHA256=2BC893968F754DC4A3070CBDB1C355A74DB28EC1D60AB1E32A56859C8A09CFDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.690{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\orig--win_bits_client_susp_use_bitsadmin.yml.tmpMD5=1474DDCB5FB02C216FBFF631E32FA4C7,SHA256=6AAD0D0999CADEFDA7294A70D71338CF6A3C29E8B6C90D5AAC6BF085FE636B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.689{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\orig--win_bits_client_uncommon_domain.yml.tmpMD5=BB42151DCDBD91F7CCD70A258ED8D6BE,SHA256=2B7B851034D75B312CEC280C2B2A52DCEF1AC8D183AF51C283273EDA443202C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.687{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\bits_client\orig--win_bits_client_susp_local_folder.yml.tmpMD5=C5C6F541C89B0F11DA380F1D89F07E63,SHA256=8320BCB2E30CD30813F008A73B13E17A1E76A6A6BBBFBC72D7A4FB240FDFA03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.686{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\smbclient\orig--win_susp_failed_hidden_share_mount.yml.tmpMD5=27AFE3CAC675318CDF02A8C8B60BC9A7,SHA256=DB41153E899FE25ABC6218FA7C7AAEDA6050069003DC881462F3D14B9F64D0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.684{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\smbclient\orig--win_susp_failed_guest_logon.yml.tmpMD5=46102EEF12D9005DA06D60D3995F101B,SHA256=6ABBE695F9F1CEDE6EFC552DA801604046C7C7ED60416B5BF142E4D038A30F4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.683{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\servicebus\orig--win_hybridconnectionmgr_svc_running.yml.tmpMD5=73532C224551B053C6E150DD17637876,SHA256=D503ACD922E3301F90C67B6C7EB976E361F3952CBEB373316B843D388E87512B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.681{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\driverframeworks\orig--win_usb_device_plugged.yml.tmpMD5=1A404EB8DE743AEFAADD74EAEBC5B03F,SHA256=BD134A00162485689CE93D70F8ED42603AA1707D45FAAFE80FBA4461D0F7415C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.679{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\applocker\orig--win_applocker_file_was_not_allowed_to_run.yml.tmpMD5=E6A8294CE54A6A502A91D88EA3FDC693,SHA256=3014CEB0078B1198AE7AABE561708EA212334D7193F7BB4E920C0891DD5C2361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.677{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_audit_cve.yml.tmpMD5=99CC62F6D0A4DDABEC6865BE21CCA9ED,SHA256=A5FEB67E39CCF37C72840F7B24FF428484CDBB0719FAE9B51981F484484F0F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.676{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_builtin_remove_application.yml.tmpMD5=058486786D8EA2EEE65F00A96A5BD4B1,SHA256=A8E150D05D614FCC9B8CE589B91824B33E7D84A33E122145ABA129494779F322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.674{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_susp_msmpeng_crash.yml.tmpMD5=48412FD232DF359A57EDBD6FD905605C,SHA256=61F37A8EB73FEF69A17650CE29A43E244D5836E49D4B3D8E6B4A20D76E1639EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.674{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_esent_ntdsutil_abuse.yml.tmpMD5=B096AFDBB423AB6698DFA77ECBEBECEA,SHA256=0BDDEA1E023CBDC93DC87EED5029F44B49A4A88DF17B27BA48986638AB75B51F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.672{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_mssql_sp_maggie.yml.tmpMD5=920A5806C55CAE54286D4983C577380F,SHA256=3FE397D89A9C57C127F1ECB9FD0FD3F25416D38AE0905BBC796B43BA4D8A2625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.671{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_mssql_add_sysadmin_account.yml.tmpMD5=291C604BDEFF1F3044FEC3300D8EFCE2,SHA256=AD7F3B1EEB304790DCE39F458CD6B2B012EC61E3876F243AB34CBB00EBEAB65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.669{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_mssql_xp_cmdshell_audit_log.yml.tmpMD5=A22225B42DDBFD381BEE59DF1291D60C,SHA256=E383248336E37C07BAB97DFF2138214EEA69AD6EB8A64285AC1A933616978B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.668{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_av_relevant_match.yml.tmpMD5=766906EABD5F45C58B16342558AC9F78,SHA256=F6B6153CF650F0BF17EF021ED6125F73361D4DC380FC4CFF9FE3FA97BAF129DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.666{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_mssql_disable_audit_settings.yml.tmpMD5=8E305E570424D5A19405CB49FAC0C162,SHA256=641326C3616AD0136466D6EFCE2BFC04D027100201D67A8D7EB27A57741930E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.666{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_software_atera_rmm_agent_install.yml.tmpMD5=971FEC9C3042B4BA79D377B30F62E2D0,SHA256=C54925B96B33BC4D6AF860A32CB0B7287C990C3045E07D472DBA292AB7B64E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.665{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_mssql_sp_procoption_set.yml.tmpMD5=5C5A8FF2A85C0EE6107E16943F1246DB,SHA256=C246B931DF761E00231C69277E801B4CF3E5DFF98537DEC3D8FF8948DE8461AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.663{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_mssql_xp_cmdshell_change.yml.tmpMD5=B72CC641A755697A8C06C8FB3366BCB7,SHA256=A53E8D92BE70B012E2A23C8B09A13E3F60A28E7A32E52078448744A286F4CB5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.661{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_susp_backup_delete.yml.tmpMD5=604812237C5994B64B0A0D8E266BE2E4,SHA256=6828DA487616DC5D41C6A6467CE19D3FE5A121D8E6655137780EBF14A1D142EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.660{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_esent_ntdsutil_abuse_susp_location.yml.tmpMD5=13772EE37D813F361B3CDD5D7DFB917E,SHA256=229EA7E820C5B5820B7AB222DA3584CB880A769C06043914A1498477721CF918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.659{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_vul_cve_2020_0688.yml.tmpMD5=8A2D18BDCC2E5D783C3BBE64822A8E4E,SHA256=50BB100D4A7B7DCE7D46759A014518749856352F12736DDD8A6BF272EBB0EC83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.659{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_vul_cve_2021_41379.yml.tmpMD5=E721B158A4BD48C941E12DBAE7D395DB,SHA256=174B455AB86EB470C57049C9086CCD22988B9B5C7E03642B901BC6B71B88DF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.657{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_msi_install_from_web.yml.tmpMD5=59E3503090EAC860D3C759C22FB08FF3,SHA256=6E27C804C821B83A77E2F53B33073EDB050B2792388D2BD8A83E032FA1AD9969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.655{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\application\orig--win_msi_install_from_susp_locations.yml.tmpMD5=A9316C7BF7BD9879F2342D454755FB73,SHA256=70ABEE37259B7C2C100DD1A4291CE26A41406416F173265C45DD5EDD7CFFCB8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.653{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\dns_server\orig--win_susp_dns_config.yml.tmpMD5=FBC9BF0B88C99CC5859967E16E07E286,SHA256=06450ACCA668FAF2140CC6800A73308DF5F715B431CDB95D153E686763E34CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.651{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\dns_server\orig--win_apt_gallium.yml.tmpMD5=9BB788FE4E98C954EDB1BF3C62722E9D,SHA256=B8E47C7EE24B6FB79CD5DF121AD4257523B278EA30FF6CF99AAF730AE9CAB300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.649{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\orig--win_alert_mimikatz_keywords.yml.tmpMD5=8A05755AB14E243080D73F1EBB6A4655,SHA256=689E36D1B7FA03FE046FEAD48B9AED5C394DF0143E9699F62E48A33FB3F1C508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.648{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\code_integrity\orig--win_codeintergiry_blocked_driver_load.yml.tmpMD5=E6144BD5EE1E23247BA60AD7D104B0FB,SHA256=BDB8C207A94F005E325890D8ABAA97D8680A071EB733ACCFF3CDF6451A8E5EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.647{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\code_integrity\orig--win_codeintegrity_revoked_driver.yml.tmpMD5=5BC82720F59189193C2B10EB1419A47E,SHA256=512B7E1EB4C4AE3EF82BFAC0FACDF9161CD5F90859487CFB32015CED2B18D23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.645{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\code_integrity\orig--win_codeintegrity_attempted_dll_load.yml.tmpMD5=EC6E477343E42BD68A0D3BCFD9D37B7C,SHA256=B57149889178E8DE7CC02BC2FCCBEB49A5A531FC55F65336F5B1BA6A9C637340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.644{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\printservice\orig--win_exploit_cve_2021_1675_printspooler.yml.tmpMD5=919410F956BC5BC2F55AC6D5DAAE13AF,SHA256=74D3C0F833C55F5813FD2E979F3DE4353F004A5E9DCB535EC995E64B28B71209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.642{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\printservice\orig--win_exploit_cve_2021_1675_printspooler_operational.yml.tmpMD5=316409AC2DDD08A3687559B0407FE508,SHA256=822BC354A7C0AF92CE1B28F638D5BB5527781DC126FF84AFCAF1FC957D0DAE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.641{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\ldap\orig--win_ldap_recon.yml.tmpMD5=D15EF3E39F9C35FC2784AC0509595BE4,SHA256=C12607BE1FABEEE31D315CF3B1C38ABF6C05FA73E9FC10E17E7088BC59E54F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.640{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\ntlm\orig--win_susp_ntlm_brute_force.yml.tmpMD5=0C052CE608BD2E343282500A4034C864,SHA256=75C252AD9EE587DC9333EB2D5B0EA12A366B92888AB624175B456DFD540F514D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.639{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\ntlm\orig--win_susp_ntlm_auth.yml.tmpMD5=9D34E0DF88958C4136C75350319AEE4A,SHA256=3C036B3629C1FD48F793AEE51DA42658EF59E6CCA70DB48DE27173CBC4D91D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.638{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\ntlm\orig--win_susp_ntlm_rdp.yml.tmpMD5=61D1F8E7B1EA554846FDE45CEF052E9E,SHA256=8196417E98D3915D3A9C8C82D7D803275CB9A7369D7039F17876A491F2C13269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.635{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\orig--win_firewall_as_failed.yml.tmpMD5=A5103658CB5E0F741AA09CCADFA580A5,SHA256=9308DA6E5AC1F1048C6AC7CD344E3161956525A29C62E02DA0CA87DAA8BBC5E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.635{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\orig--win_firewall_as_setting_change.yml.tmpMD5=D9A4CE2AF73A4498C21DC7144A66D6CC,SHA256=9D1FADFCB4E3C7722B6CAC2DF1314A31E5AEF0A38EAC4B1650ADB295ECF123CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.634{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\orig--win_firewall_as_change_rule.yml.tmpMD5=437F7071E18E6378FAD2BA5FACAC1691,SHA256=B9064D1A6E846C88EA8E5E2E13B9CAFBC53C1EA6CBE3C2D564E94C377E9E2564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.632{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\orig--win_firewall_as_reset.yml.tmpMD5=D6BCCE81D7B24A742122805197356AD9,SHA256=ACAA30AA111DAA0557B1D27506AE22E748492D802AECFDE0E1C5E4EFA4D247D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.632{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\orig--win_firewall_as_delete_rule.yml.tmpMD5=7346E7287DD6FF71A68462819CA393C7,SHA256=9CC24BBA522B21AFB582A6175709BE3D618FA5327981AE1DBA4F25EA6CEDA27F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.629{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\firewall_as\orig--win_firewall_as_add_rule.yml.tmpMD5=A087D537CECC99AB5EEF6F6D7F17A20C,SHA256=39702D40E6D531BE5911C2F0F36A6FB28D2256B320DBDA0C496D399F95773C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.628{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security_mitigations\orig--win_security_mitigations_defender_load_unsigned_dll.yml.tmpMD5=C2EAFE218C241EA986FAA9F10C1E4D7D,SHA256=43A0EAC85EEC7653FA53843432D152D70A2C6831641FC371180278AB88BEEFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.627{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security_mitigations\orig--win_security_mitigations_unsigned_dll_from_susp_location.yml.tmpMD5=1F586D4055F4BB00AA35479B2B68DD58,SHA256=673E021D8C59ED3CFB7217C18094B1000B004147F7CB078DA6823AAC00A66242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.625{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\terminalservices\orig--win_terminalservices_rdp_ngrok.yml.tmpMD5=2FB44E5C472EC66666B766190E79A8E0,SHA256=F183052F0BF79FEB560986F94CF5AE03ABBAA6499B3B9A36B672DCDD7EA1ED4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.623{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\wmi\orig--win_wmi_persistence.yml.tmpMD5=8F15B81D67784706FFBC96FCF309368E,SHA256=0C350187F7E291E66EB5F9E2F6FC99AF534A311A379CEBCD62166DB0B0DEDD0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.623{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_exchange_proxyshell_certificate_generation.yml.tmpMD5=E5AC5DA911D17EBEC3CBC7FE84C04087,SHA256=ABDB350D00C3E46E41ADC6764FFD00C3E449EB3EA045F28C0317E8E0DC9E9ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.616{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_exchange_set_oabvirtualdirectory_externalurl.yml.tmpMD5=FE75A7ABF7883DD9CA80EA2F18243A34,SHA256=6B69D561DB191F0111F1767166D12B10DED9A7310A2B7ECC70790CEA13D64A6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.615{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_exchange_cve_2021_42321.yml.tmpMD5=559A708FD4CFC56DDE729B6999C835D0,SHA256=4710839F794F1BF746209A2381B426F1E78F598C4C564B0201C24AE8B5D324BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.615{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_exchange_proxylogon_oabvirtualdir.yml.tmpMD5=485F2895D57AC04F961F9F28594D30C3,SHA256=0ACCDB37E78963D315648CC72FC49BD4DF8F4413B3901A2DAAF342A6203450FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.613{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_exchange_proxyshell_remove_mailbox_export.yml.tmpMD5=780DA56E488F402CC8EE4CAA4B4F10C1,SHA256=6E5B3D3E5DAC9F11D3215E74EC58AC04293836A5BC551C63C2C95C1735868D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.611{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_exchange_transportagent.yml.tmpMD5=64E9869A3CB609E50260EBA3C7E2FD36,SHA256=5A73DE474BBA1051A6766A73B9266EB0B5901410FC8E09E22854C51BC0033CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.610{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_exchange_proxyshell_mailbox_export.yml.tmpMD5=8928F4C53EC1CB1AC03F5080884D1C68,SHA256=F15006C94ADD29034B04356A3A80611AF466AA19FDCE705FF0A0311C738B933D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.608{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\msexchange\orig--win_exchange_transportagent_failed.yml.tmpMD5=40113511478A7E5ED64F51123D36D214,SHA256=7CFC2BD32BA97FA4E2B5679FCEF27B4AC04EF9A34E79E3979C8D3627EEF57F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.607{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\openssh\orig--win_sshd_openssh_server_listening_on_socket.yml.tmpMD5=B760D7D54F6F5AE6A805F7681966C7CA,SHA256=4BCEA487F0EEBA912BA14219CB492BBA34541A0697D18D3B89CEC1DFB5F710F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.606{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\shell_core\orig--win_shell_core_susp_packages_installed.yml.tmpMD5=160CA09334473C63F368C9C6806BBF55,SHA256=5F9ED96CAD1EB77480D50DD30E8F07C13A7DA16283B3F9FEE5FC261071183D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.604{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\diagnosis\scripted\orig--win_diagnosis_scripted_load_remote_diagcab.yml.tmpMD5=5005B6E615DD950523819CF1C826C919,SHA256=855977F652E55F5492166ECAF68F0B36146024F92E57B2B1E8AEB0F632309AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.602{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_quarkspwdump_clearing_hive_access_history.yml.tmpMD5=CB7AE046A9C90744D762CD8CE85032E9,SHA256=B31671AC8B970F86F7A5AE52E030A12CA7DF65870D0C04E617ED8B3C4133FC89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.600{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_susp_eventlog_cleared.yml.tmpMD5=456D1A044EA5CCF419A793BC7ED8584C,SHA256=B36403707E89901D39951ABDA1BAEF5E19AAE26C9A8AC82ACAAD17C21728A2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.599{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_service_install_pdqdeploy.yml.tmpMD5=C5CB64106739CF685BCFDFC41539C02F,SHA256=87638DE22677B02CBED2BEB98312B1383EF3AC41C9D3E5C76EE50780BF3D20DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.597{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_invoke_obfuscation_stdin_services.yml.tmpMD5=392771D0BA7AD3D3B2B0603C04597F03,SHA256=5D9BA07355B6A70FA7F974C1ED2D2CEA6D37DD937C2BADDA4437FE4D07B189E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.597{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_powershell_script_installed_as_service.yml.tmpMD5=2B78FB706C732B4FE7C1F6717862B6E6,SHA256=F69B3553CEA5253B8269603509F0AF1A40C79DD657A666C5CC8309B8CCCACFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.595{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_moriya_rootkit.yml.tmpMD5=9237C4799B39FA085A884C35E7923158,SHA256=E1ECDC302492DB8C1BDAB386DA1D973F018939BEC8FC2CC835B77985A397C319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.593{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_lsasrv_ntlmv1.yml.tmpMD5=1FC042856C2640FE36EB46E6C5EACFD2,SHA256=6A8B442298FCD20DE345BD99A7B5F20898EACC757AA18D13FD4A5D6C22BF53D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.593{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_rdp_potential_cve_2019_0708.yml.tmpMD5=666203E904ABF59985868AA659B4B4B1,SHA256=C2C54343B8C0B8CACC299D065789E3402A5B197DC3FBC9781D4C16DF9FB6EFB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.592{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_service_install_paexec.yml.tmpMD5=173B2791E0F94A8BA22A2AB32FF93042,SHA256=7BFF6488A31F45D6CED7838DDA146C379E03E0B1E594B100D44C3EEDC1767850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.590{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_possible_zerologon_exploitation_using_wellknown_tools.yml.tmpMD5=618B9E9AE097B7042EFEFC3392A48A46,SHA256=18C634CAEC96DCDCAFD924905BC3D13CC83D64A022F1D5F8D448750BDFC910F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.590{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_service_install_pdqdeploy_runner.yml.tmpMD5=8DC8DF037FE7035BBCDD73580E726438,SHA256=B139CA24774C011DC6D5D925C0017AF68900A52EA8037EFD59EA6B9D876B748E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.588{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_susp_sam_dump.yml.tmpMD5=10D90C8776C52CC70924B3976F5C490F,SHA256=900C6AC6E727CFE9AC4AE18FF73967391429718BAB58F23B75B2B9DDF8E9C6D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.587{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_service_install_psexec.yml.tmpMD5=73553F7A0CD584BC348902464BB241E0,SHA256=4F5A4B0DD7094D4870AF30C1F7755F4B645C597ED3BD1ABBE14C7CE37B62E85C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.586{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_susp_system_update_error.yml.tmpMD5=6E60FE12A8AA116CAF4355C2178DD267,SHA256=230E0E937E13CBBF14A73EC66183BB97E5D5E30BC7D16C1D1FF8E902071E1091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.584{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_ntfs_vuln_exploit.yml.tmpMD5=C6435E63960181D890ED2BF561058FAA,SHA256=20C81B99E43DD5EF31E397A003A312B67ACD29835DFA0A27FFCAE98110C2B8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.581{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_kdcsvc_rc4_downgrade.yml.tmpMD5=8E81BE3059E40539B0C10A1CF3A55DC1,SHA256=1C08F3F9698E9391E9CC40BB92808E680351214B77246CDB05F6E427A9465B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.579{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_apt_carbonpaper_turla.yml.tmpMD5=B444A2DE6315A62A1999F03E929F080E,SHA256=3EF8572F4F83E858A372FF05AE0E8FFAF476C9F5F54B3A1AA3683C0B57263098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.578{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_invoke_obfuscation_via_use_mshta_services.yml.tmpMD5=3E661F4AB526F8E06FF0C5F5AE16FC87,SHA256=E0A90C8024565F49ED931357474905F1CBF467042BB032EAA8AB5BF69F6E720D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.576{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml.tmpMD5=9E421074250A521EB1208556D977808B,SHA256=B665755E738F99028A13B014DE3FD1543020344522DD8A30D3D1D62F6C000EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.575{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_susp_proceshacker.yml.tmpMD5=29007F34AB4CAAD8B0672FB8318636DB,SHA256=E8EA4A8D4CFBE390F4007EF842416C727B0E0973F5EB3DD9AA801C5D3936DAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.574{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_vul_cve_2021_42278_or_cve_2021_42287.yml.tmpMD5=E4F485EC1F9209EF8733D06D9F9D6594,SHA256=F51534414ADEE2E490014D49947E1F9DE2C273EA77B9189AF5C68DBE2DD47CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.573{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_susp_rtcore64_service_install.yml.tmpMD5=C3A421667A51751916F48B0A3D19096F,SHA256=9DB1856C478BC135BE3C1AECBA6645D47C269006DBC0B118EDB74AF94A3F2CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.572{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_rare_service_installs.yml.tmpMD5=0BEC1B3B5BB0F1409167F73C01EC723B,SHA256=F6D62C15AF8DC09913BCE8A85E79F261656869FCC9C2B1C65D790BB85C047F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.571{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_vul_cve_2020_1472.yml.tmpMD5=CB00262E66574C12B4F259F359BDD125,SHA256=54E047F01854F54DFC3618C56BE65E3C58C13C2D7D776EDE86EA9C83A9D0ACE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.570{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_service_install_netsupport_manager.yml.tmpMD5=BF0406B82B00A2236353E524CCE25665,SHA256=ABD16ABB4350257BFD3319663C7CF3B0622406B36F3707C9ADD1CE3EC1911030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.569{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_invoke_obfuscation_clip_services.yml.tmpMD5=D12E1E3D8599B1A82E5A977392239991,SHA256=C970DCA2B455140675C4DA154FA6C7B2D3541309A0078057ADFD9BB45567449A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.568{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_susp_service_installation.yml.tmpMD5=FC880DA0F699399FB299C8D3BB59D99D,SHA256=E8B669AAEE7008EE2E30424EE717D3FFEFEE04839B9C4E1B45CF9AC2A1A93F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.566{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_application_sysmon_crash.yml.tmpMD5=150B573A26F5BC3A4ACE910D493A771F,SHA256=5FB872C6D632CF079AB515A28F20A6C9150AADB1E44ECA034B465775C3CDDD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.564{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_apt_chafer_mar18_system.yml.tmpMD5=0AC2D1E0C6E1E948A2367201493C44C9,SHA256=99C51A29894BED67D0770EED580FAF4FAFC4430AFD3D179D22F28D2E0B0AAD8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.562{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_invoke_obfuscation_obfuscated_iex_services.yml.tmpMD5=E1DBC313E3F29FB236C181BE2934F52C,SHA256=E95C242B8EAA0DB90E16033A639632EC3AEBF6411C5A1EE28AC1764AEE504587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.561{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_service_install_susp_double_ampersand.yml.tmpMD5=BE005F3D0EC520373704B8A8944F7FB5,SHA256=80A36C70EED74CF8A897B6259366B96F2494DE5A0585040A907046F031DB7BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.559{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_invoke_obfuscation_var_services.yml.tmpMD5=6FCE163012BA5BCE5FC09E16EBDDBB99,SHA256=42B0CA648892B8696A0B1DA8B14F6A04CE89BDC842F37E6C84A5EA9F56D6498C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.558{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_invoke_obfuscation_via_rundll_services.yml.tmpMD5=E7AD64BCA6492048D1F198EEF06F744F,SHA256=19637608552E8BD9EBDA7A604B55BE951D76AA4BC0F05F592A7CCD2EDF54B732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.557{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_apt_stonedrill.yml.tmpMD5=DF0DEFD03732ADDF3BF3BD6D929479FD,SHA256=0BE7F036B9CD17ADBD247C16A3EC4CF9D895D5D4FCAD47462B68D777712BC3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.555{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_pcap_drivers.yml.tmpMD5=22B45BE8C886E01C5BD660E0A91DBA4F,SHA256=D51E290BDA127D0D4AB7EF244B26E7C3A3991CC7869126AC3F6298A974C9822E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.555{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_krbrelayup_service_installation.yml.tmpMD5=6C37BBE9E6A2E08D90A8119BCD9A8E47,SHA256=621F9BBEFB045AF4A759F1FA12488775FD6F819CECAB2CFF5B8F56462B736909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.553{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_service_install_remote_utilities.yml.tmpMD5=E001370C06B03303657735A9A34CC24C,SHA256=869D21F3CED35397E545A12CA9E465AD9DE4BEFE86EA9EA7C0B617D6001C76B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.552{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_eventlog_cleared.yml.tmpMD5=22B6E77F6788F9AF42B4231183C1CC17,SHA256=E06ED683FF86267ACB9562688DB7A9262732834E3A2F560241FB4B1A03FC9E39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.551{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_invoke_obfuscation_via_var_services.yml.tmpMD5=1E484AAECF08504C9A32ED50860B38D6,SHA256=94DECB42D42902A910272BD8C755690CABF32FB9629B427607717588258D41F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.550{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_susp_dhcp_config_failed.yml.tmpMD5=CB9468DA0DE3CB079056703D56683E6F,SHA256=A6614A7050794C537C95BABC183A60B68C213CE43A9FC638E3D228E36BB1B6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.548{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_invoke_obfuscation_via_stdin_services.yml.tmpMD5=3C5E418715778FCDE91603D49E4FAD0F,SHA256=4FA1C5A5D4784219D889ED9666EA66FA681482872C677C29DC0912F0A4778322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.548{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_cobaltstrike_service_installs.yml.tmpMD5=CD1EDBE29D5427D0C5A99CD3E6F65D1B,SHA256=55D04D021C7715114980DDE4AF1DB4CC85AFC4AF8E26B4DDDD8A5A6EC060C075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.546{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_invoke_obfuscation_via_compress_services.yml.tmpMD5=6889537D26E16B1301B9FD75EA4B480C,SHA256=0AEBC2DF53FEF2165ED4620725F41F738ABF617927D0F132C993DE0C8AE5F13F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.544{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_susp_service_installation_folder.yml.tmpMD5=B116FF1FA66D747B6A5C6FD8E6CCE095,SHA256=5B7A8B66242F9AF8EE838F9CEA476F8F6AD24B6EF5CC8B4EB0FB192BBF23489E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.542{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_susp_service_installation_folder_pattern.yml.tmpMD5=065453F064B4C0E35AEC36C707289FC7,SHA256=7D2A249F804B53D681BD0DBE2A6991D751B16805CB1C19D712FDB074BB2B835C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.540{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_volume_shadow_copy_mount.yml.tmpMD5=BB23FDD32CCF1E5481E76244C2725965,SHA256=E7947D9063CE13A94B601A697748ABDCF539870E462421928B9192F82DBAC914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.540{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_susp_service_installation_script.yml.tmpMD5=BFA7563B0359FA36F6F778C80273C183,SHA256=3CDADF2EB4FD9C363150FA8B859FCD6C9BC45BCD7DA58525467110AB21801972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.539{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_lpe_indicators_tabtip.yml.tmpMD5=160D9CDBAE5684980B30E6CC6B3534DF,SHA256=27A3A8A8CE9E4A1013A555E7E09E2D452A6E007246ED9B601E3C19EF418E73AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.537{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_mal_creddumper.yml.tmpMD5=0EDFAD53D6B557F82709197E9F4CCFC8,SHA256=D9D8AFBEDEA5825AC89D6362837E03BF44DCBC70380F45BC810185D48E159B56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.536{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_invoke_obfuscation_via_use_clip_services.yml.tmpMD5=816AFF1BFDDC4FD2582431D0694028DF,SHA256=9A4FF4FE0B4ABA93151CB427E27E273B844CEFB63D361C62499C3D457F7F8EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.534{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_defender_disabled.yml.tmpMD5=C9B324EDEB7A12DBF202618298F270FF,SHA256=CDDDCB1C08E816661AFD31C3BEAB7BE12F9CDD62DB3A05F60C75210470154D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.532{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml.tmpMD5=B5E6A8E085A5F847A41D28EB061AF2E0,SHA256=4B48A9BB8781F4B9A1E29618B8F2ED5378ECD896C994A2A7903E393FB9EE7339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.530{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_service_install_sliver.yml.tmpMD5=753C913A4A1A265175CD4B26C18A2AEA,SHA256=6347052B67C255393FD89A67AC5CA184C749D6D605A1DE0DC7E00D4F173800CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.529{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_hack_smbexec.yml.tmpMD5=9529FFD5C88BDCD380D763CEA389CEB5,SHA256=05248AC800FAFF94F971AE3FC1F0F136BC1623F37E77BB9B25F6708D159D63F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.527{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_system_service_installation_by_unusal_client.yml.tmpMD5=3EBEA3493C36B66FD59013721BA767F0,SHA256=F857EBCC4407A181754919B065628CADCF93CA3E73FF3E0DA99422967CCC9838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.525{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_susp_dhcp_config.yml.tmpMD5=89ACD58C074D72C156974754F1201FC2,SHA256=8ED2FDAF7077C9DA15CEA735D8BE81D2265C98741A16245EFC5CB35C85B20E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.524{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_tap_driver_installation.yml.tmpMD5=493871957F482325B26660955DD9FE1B,SHA256=37517EF14FC05F84D799E1885D954BF91EDF19D5DB4A82AC2019F96EDDAFAAC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.523{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_service_install_hacktools.yml.tmpMD5=D04B2B6E4B71B7A1043E0AFCC7F3EABA,SHA256=AC1F5DE9B90E402963430B7010DA2443ABF16E214019EE8EEA82AFD46C9E3222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.521{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_apt_turla_service_png.yml.tmpMD5=FC4F7ECAD928D952C1631801B94E8A17,SHA256=042F8CD1B63ACB92C4C1DBDE6FDA62C1352A124B3BA83BD4F4D4BEAD2A0DAA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.519{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_invoke_obfuscation_via_use_rundll32_services.yml.tmpMD5=B9CDE4E6349E866F12086DBA5030AC0F,SHA256=5364CE494A0CA31373250CF03F624C22C8EF13DABD438019DA1D9F48DB695908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.517{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_codeintegrity_check_failure.yml.tmpMD5=1BE0C9ADC09BB7A2B87CFF42EF0AC944,SHA256=76000B2E701BCC745D99477F6D265923E373E872C14190F7F732B81475FF5BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.510{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_etw_modification.yml.tmpMD5=0536A3653541C1D531A1688DF1F28067,SHA256=D6A164DC8979AB8677AD7723D3DACA6E96A3D1EEEDBD085B783E9676927A7D73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.507{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_scrcons_remote_wmi_scripteventconsumer.yml.tmpMD5=1D3ECDFA46C0F7443E702CFFDA05C85E,SHA256=CF3F3BE774330DA15949BE41219E44F767ACB2BB60F4C5386BB787C9270F38C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.505{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_ad_user_enumeration.yml.tmpMD5=DDD75440B9AD919CD71E649464006D1E,SHA256=028698ED50D8225B996488D959FB195B352A48C70197A7287404B2AEA2228BD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.504{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_teams_suspicious_objectaccess.yml.tmpMD5=B3F81AD9B88A26EEB422F2C8CDF8F27E,SHA256=FA3ABE34370E32D0BA25835BEB271A6083D8618A333254D7AB232B40B2C3672D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.503{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_apt_wocao.yml.tmpMD5=437722CC3A1498099CAE2A26110F5706,SHA256=10722760585A3D369EE9C37BB6B95C5093744B775F49CC3A64DEF51BD7159F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.501{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_petitpotam_susp_tgt_request.yml.tmpMD5=839D1EA3A36BA7B8CF41F1DF13C04835,SHA256=8ABA5A2D3E0083EE860B3B7AEFA046C5DE021768795C380D6472B7E51B74DB79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.500{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_local_anon_logon_created.yml.tmpMD5=F5AB6BD71F15EA9C07C5725A34F5E73E,SHA256=33B760D0060CE6253BF53A076E5BC590381C964B28FAF991321D48A2FFF56980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.498{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_logon_newcredentials.yml.tmpMD5=ECD971044533B2F2F499D20C6A63E543,SHA256=5E3F137B3C22F72879DDE4DE3A1EA5B3CB50CD4D29DDD0B3DD70DC259698DAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.497{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_atsvc_task.yml.tmpMD5=B882AFB2E63315B66A4601B1E8D6FB20,SHA256=73A35BEDC5345F0C430804FB55FFB77874D6DED1F3F19FE401CFB7AB425BF928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.495{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_syskey_registry_access.yml.tmpMD5=4216228D7075955BB7D7392A382C2145,SHA256=00E425F8620C5C7E3B7ED8B0C68945EA0CAF06D5D3C2FE46E705E6A4C5655C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.493{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_psexec.yml.tmpMD5=825F05979419E3EE5E018A47F71438BE,SHA256=CAB2F9194A7ACBD9C9DD1FEF2223D902CC0923BF227EBC12450212289ECB5C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.492{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_dcsync.yml.tmpMD5=594DDD6682E74C13A817B490D8941977,SHA256=3C80748BD71C0F17167897C8DF817FAC00D3AE95ECB1A33027161657D6BAF871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.492{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_failed_logons_single_process.yml.tmpMD5=DDF610175F4697AE604799FFD84C999E,SHA256=84219C862FE0BF5D7041C0A9DD8A28E75E818AECA732450C98FC3B1696BD9332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.490{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_user_creation.yml.tmpMD5=84BDE71F79597CE9A69C0F9D43AEF2B4,SHA256=7E0AC0FB236645810294AA71900540AB474EA212C0A2C73E1811E1AA7AD7A5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.489{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_diagtrack_eop_default_login_username.yml.tmpMD5=2218999E405C790C456082258B406DD5,SHA256=6B107F31AB976431DAD62BC91404445D54A46B1BF0444023692D79D8A81BDA43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.488{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_opened_encrypted_zip_outlook.yml.tmpMD5=595730B8D3FA97870EB5C6D8AE169AAC,SHA256=05099BA63926043035CDDDD29743423E8AE60BE57E6F6BF670CB5D9B9162C207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.487{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_device_installation_blocked.yml.tmpMD5=222A16F857EACD9F09100A1A83748641,SHA256=BD27B1D197FBB58B26C55D44263F9097C387341056B9B97BEFE763A4637DD896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.485{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_alert_active_directory_user_control.yml.tmpMD5=B91A7DB78C49F99F3FD6CF36A71FA390,SHA256=63807C7C591C5B78DC0A4F1AF65C51DC82287B7DACEDF8A1149579B641F28F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.485{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_scm_database_handle_failure.yml.tmpMD5=3BBFC0BAC4A3CC555D81A7F88683E4E6,SHA256=1C1F9FF3763FB305B7274BB6A012A84F59A01B2DE0556E6CA539008877060884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.477{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_lsass_dump.yml.tmpMD5=FF5603A00E5F8EF639FC9F5446666E66,SHA256=962013C46ED18D2533AC9F39A712F3B9A55C35049159A6275E99DE2C6447FD2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.475{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_lm_namedpipe.yml.tmpMD5=D0EE92726F92D0001EA43C4C9E509A60,SHA256=3057F0C28AA79E82514C3A8ACBC57487A015077D7D91824D488851834D95DCEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.473{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_service_installation_by_unusal_client.yml.tmpMD5=107321474E3D3E96EFBA2E9BDDE91563,SHA256=ED3E1E794786351DDA353F4D5ADF16CE08A683E6FB16829FB954FB6BD8D9EBB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.473{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_apt_slingshot.yml.tmpMD5=798F408075A2B53E6E9BE3DF92B45C13,SHA256=C71AAB1C765236F72F1E7B82EE73C6B1B2BB589D95F5631DE09FC30CFA9DBD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.470{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_mal_wceaux_dll.yml.tmpMD5=FB7F5784442B693178CE5AB466BA4C1A,SHA256=34EE3F5D712CF6F54CA00FED143655151E87A074D2A7BC48AA1B6F003EED498E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.468{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_dpapi_domain_masterkey_backup_attempt.yml.tmpMD5=C50C0830A38853D902EB31B372B91990,SHA256=9D4CEB23EF3C77DD3D16D8163AF334B07FA5E2855983E40E67C2B8B9C8AB172A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.466{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_possible_shadow_credentials_added.yml.tmpMD5=1A4A3587AC5425C44A365CBE01C7C7BB,SHA256=9273DAA56E0A705001056D8DFCDA5E9E3204BB4DDFD2EF6A9F527271BD1FDB9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.464{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_adcs_certificate_template_configuration_vulnerability_eku.yml.tmpMD5=ADBACF2769B5621A5B4FD21F6339F8C1,SHA256=9197E23250DD960E32C3FA92497701B93FD339674BD1C949564F4528BF5B36F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.463{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_sysmon_channel_reference_deletion.yml.tmpMD5=D8FB36B32D0E0AF0B78C149FBCC88AAB,SHA256=4E6C2F0F9AF187B2C7D8FF29AA36BDD4BAB9292FC4C9919CD728CF32F21CC0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.462{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_invoke_obfuscation_via_use_clip_services_security.yml.tmpMD5=A4BDA9FCF9C692A352BC2388D453A9B5,SHA256=F919DBDFB30162533E99691B8E4A8A1733951800C5307708EA3E61CA507191B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.461{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_sdelete.yml.tmpMD5=C99BAE802C97B2ED7BD612C79D0AE66F,SHA256=16948BFB7416E7762ECA18348986D88A71C11C1971DBAFEBAA5CB3B2E2269B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.459{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_failed_logons_single_source_kerberos.yml.tmpMD5=230CE5292617B7A817C3D401B4AC5C99,SHA256=8CE6C97407085F8B14ABC4F6B073E0F18F3ADE3CE8BD6491C48996E0C8A5C9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.457{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_metasploit_or_impacket_smb_psexec_service_install.yml.tmpMD5=C219CC9CA256A12AD93D1E1962CBD213,SHA256=E739278FF35BEC4C67D64F431E26D98B3980FAED1341D39112A0B898E7DFA13D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.453{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_wmiprvse_wbemcomn_dll_hijack.yml.tmpMD5=C6329DCE5A9A2E61C5092781788D9EAC,SHA256=8D1AC6CAAC44B8C533C22FD0119D41BD4122C3F2597D9721D9914F3BD36354A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.451{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_scheduled_task_deletion.yml.tmpMD5=D2A43C301ABACD547E39FBABE906EBED,SHA256=DD572F443A2E12B9DB54F7D53711FA67F4FA8AE5D77A540DEF07ABC808654F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.449{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_samaccountname_spoofing_cve_2021_42287.yml.tmpMD5=8E3691C67E404B17ED60C34BD9CB8EFF,SHA256=CF971A77EDF2BB1705B12087E531F99C895F9D2B60A1E2F6AC7FD902ED48188C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.446{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_invoke_obfuscation_stdin_services_security.yml.tmpMD5=276542EE807ECBBB5261C254C784F24D,SHA256=EB72A26A0F56E169CAD3A9D1F36C1A6E7504BDA57D1C7BA7881C34A3E064A92E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.445{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_dpapi_domain_backupkey_extraction.yml.tmpMD5=4FF4262C92BD2460C4FBB7D9BDB9C5B4,SHA256=C863708DEF34A72018CA703ADCFBCFB6E5B0C0D04B9D477993528731946B5BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.444{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_time_modification.yml.tmpMD5=AE3FE14E350E97D3E53E29FF4EFBDFD5,SHA256=CC793D361270BF3BF7F9C0BEA1194A316F4B91D7F7E5636F0EB4CD92F4699C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.443{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_rdp_localhost_login.yml.tmpMD5=208BAA11B236B492F07893B86C297505,SHA256=CC85B918090E9D25FB5C41690BFEE9B56F460D2FAA300B860D1F0425EA8B2B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.441{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_disable_event_logging.yml.tmpMD5=20C2157DEF9AD64F2095396F03AFF966,SHA256=2618694098D2EA88602BECA02AE65E03D1A417CFA74AA30D4746FD10D0D5E765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.441{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_user_logoff.yml.tmpMD5=CB2FBE04CCAFCFC8065869714BA68F66,SHA256=9589606C7B93D8B5BF2CC2FEBB931FB433A11FB82E8BADA46D541C4F0EEF4327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.439{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_account_backdoor_dcsync_rights.yml.tmpMD5=1EBBC91945B35228887E6754C8E38074,SHA256=B04E9FD9F2636F7F77D635B8264A04E84668C2F2288904A2E8FD157AF0627D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.439{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_net_recon_activity.yml.tmpMD5=89C37B7E6A8FD28138FDFFF914EBD7D9,SHA256=D94E5C57B7CF6B918B5ECC0548AD383E8F45419787BF4B81B443DB43981E1215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.438{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml.tmpMD5=3E597301A264A4DB60E0ADDDB4BD02F5,SHA256=B8132C191EF1B2A0230CED587AFDC5E8E9DB8544F6B59983ECFFB3FBEBA6C4D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.436{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_rc4_kerberos.yml.tmpMD5=AD2F78DEACCC444B84D353F7EEFC6076,SHA256=EAE9463EC2F4ED1E1A8AE9F8AC3DCEB946B92E6B7814D7EEABC4C5A6DC0E4A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.435{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_aadhealth_svc_agent_regkey_access.yml.tmpMD5=77143A83F35A6BB4A03D2A2240737757,SHA256=8F5D9FBBF761877C9CCC3B8DAB762E684A949282B0C806396F8261CA0EA3614F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.426{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45B3AE5C0069D172042CF514A418018,SHA256=E4C2AE9E74793795F2B00A60BBA4D4B8A4E824F55866E36879267FCF140806AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000842841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.426{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\security\orig--win_security_susp_failed_logons_single_source_kerberos2.yml.tmpMD5=7653885120D50B54CD6A43752C48C691,SHA256=79457F918CB6232C3AB6548957F6A3C46900395C84505F76F0ADB6A1A591CF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:36.317{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9738F7D6F4F846DD3F7D863DEF38FF71,SHA256=D61A6F5862C49A3CC9A5880120277B17FB361AEF17FEB9A1F5917EA6720A127F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000843379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:36.998{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent\TypesSupportedDWORD (0x00000007) 13241300x8000000000000000843378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:36.998{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent\CustomSourceDWORD (0x00000001) 12241200x8000000000000000843377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-DeleteKey2022-11-30 09:36:36.997{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent 10341000x8000000000000000843376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.995{8A63456F-146E-6387-0A00-000000009802}6362552C:\Windows\system32\services.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.995{8A63456F-2424-6387-9602-000000009802}4784NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent.exeC:\Program Files\Aurora-Agent\service-startup.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.954{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.918{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.876{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.859{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D52F6E11D1F145E78F50A236D3D5C25,SHA256=8005EEB7B10DA502A2448576A080F4EC851EC0EB92445A3945DC11868109EC2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.836{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.808{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DA592410D5EB03BF39BC17BC68B975,SHA256=30DD810D8A1E717DE78C985FD73A5272DF0BB763191363F17BC1E4085F228932,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.792{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.752{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.701{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.578{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.537{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.489{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.445{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.383{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.331{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.273{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.261{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.261{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.261{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.259{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.259{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0800-000000009802}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.259{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.258{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0500-000000009802}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.258{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.258{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.258{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.258{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.258{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.258{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.258{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.258{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.258{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8E02-000000009802}4240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8E02-000000009802}4240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.257{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241F-6387-9502-000000009802}3300C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.256{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241F-6387-9502-000000009802}3300C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.256{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.256{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.256{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.256{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.256{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.256{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.256{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.256{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.256{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.256{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.256{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.256{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.256{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.255{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.255{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.255{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.255{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.255{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.255{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.255{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.255{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.255{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.255{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.254{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.254{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.254{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.254{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.254{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.254{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.254{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.254{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.254{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.253{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.254{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.253{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.253{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8D02-000000009802}2360C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.253{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.252{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.252{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.252{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.252{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.251{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.250{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.250{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.250{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.250{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.250{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.250{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.250{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.250{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.248{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.247{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0800-000000009802}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.247{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0800-000000009802}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.247{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.247{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.247{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0500-000000009802}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.247{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0500-000000009802}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.246{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.246{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.246{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.246{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.246{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.242{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.241{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.241{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.241{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.240{8A63456F-2424-6387-9602-000000009802}47841936C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x8000000000000000843238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.237{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.186{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000843236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.186{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.186{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.186{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.186{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.186{8A63456F-146E-6387-0A00-000000009802}636368C:\Windows\system32\services.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000843231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.053{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe1.1.0Aurora AgentAurora AgentNextron Systemsaurora-agent.exe"C:\Program Files\Aurora-Agent\aurora-agent.exe" --service --config "C:\Program Files\Aurora-Agent\agent-config.yml"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=9D3844E10A3CE66C9908670A31F7A58A,SHA256=F82C65314FAFE8E350188953B877147874AD4D2631F1A89686B0DDB8DC583BE2,IMPHASH=FC1DA3B0A7ACFED2DD9996A75A66EF91{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000843230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.170{8A63456F-147F-6387-2A00-000000009802}26802252C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\tileobjserver.dll+c332|c:\windows\system32\tileobjserver.dll+10992|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000843229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.170{8A63456F-147F-6387-2A00-000000009802}26802252C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|c:\windows\system32\tileobjserver.dll+c2df|c:\windows\system32\tileobjserver.dll+10992|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000843228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.155{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.155{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.155{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.155{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.108{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069B6D42455034A80A8204B1F001EFB8,SHA256=87A7D84989F536C3ABBF09906A27731BFE19D5C9498A75F7F1376B9E7841B065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.052{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\builtin\system\orig--win_system_anydesk_service_installation.yml.tmpMD5=F409A3CA1B02C313141AEE058AE30768,SHA256=039AAAB83E4590B2F168435B33DA134E5E31C4A3EE41E65BEBEFCB70C5B3E7FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.049{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\response-sets\orig--aurora-lite.yml.sig.tmpMD5=6E0D7E30E1CBCE1DA3501784CA1D0C31,SHA256=BEBE462D1B76E0717630D643542C10F051DFE3752445098AF5D9688E2FAD0209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.048{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\response-sets\orig--aurora-lite.yml.tmpMD5=AAFCF1CC2453BAC632C241AADC0F3342,SHA256=93EAEE4E5430AA035E569DC69E7F7A047458C04DC189908D9EBAB438696C3B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.047{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\orig--sigmarev.tmpMD5=CEED6BA67ACBB5577200FBC59D1C6E7B,SHA256=EB267EBE9A269327C7264B39BC06C934C84B1393489DCDC4FC3B7A925B642BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.047{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_get_addbaccount.yml.tmpMD5=EFC711CAF4B9B585D7B19F463338FACA,SHA256=0324859C5A2723CF2C42F0B310B41354377FC43F20E6E35A2381F1508CED99B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.045{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_stdin.yml.tmpMD5=38DD2808BAFB264CB39835A0E5912937,SHA256=25CDA370163B956023BC94D99056F2A6537BE1EE68BDF7C2BAA1BBEB6445198C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.044{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_invocation_specific.yml.tmpMD5=61E7BF25A9F285BBB28BEAD47008D02B,SHA256=7C334633574A772C5F541A38901B22DC84C12C7C17B0267957CFE311961AF0FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.041{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_remote_powershell_session.yml.tmpMD5=9DA799BB6BAE32CBB3F9CC65B7C993A2,SHA256=097A7E2504F950F71590E694FA190431931B7013A62B44DD3507D4B1FA6426B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.041{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_via_use_clip.yml.tmpMD5=9DB5E1F08D70306B7BAB439EF1DB4804,SHA256=2BD6668012F80610C841AEF0ACB8D244BF8F48239146EAEA2E3F04E02393D1AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.040{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_powercat.yml.tmpMD5=11C4E20919A928D221FAF8D1A5F34A42,SHA256=2DD3C675B1D6A3A833E46F3C68D29AB86EEE3FAD39F0CBADF291922710FF9869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.037{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_download.yml.tmpMD5=B3AB2D0EB430ABBAD6E03650346E5C1B,SHA256=5E981DB22C5467B6BD1468F7CE9A7DBFDCFF9AEB38E4C38434E0D57A5BC4B7FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.035{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_clear_powershell_history.yml.tmpMD5=50F542B297302932B6768F5E8460B661,SHA256=CBAD1EA5EC3609DD18D6CF82466473AC97F95F5836B61D91B68A7C5C01F68D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.033{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_syncappvpublishingserver_exe.yml.tmpMD5=3C16ABCECC12DD69EAB01C7531DADA66,SHA256=79F288790E20A371826D9CDA95FB553211B9A08135BBAF7CEEE6BCC850399885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.031{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_get_nettcpconnection.yml.tmpMD5=BA34F5176E0A84EC8DEA520A5352A40D,SHA256=AB85289FF51DE0192016A7325AC46FBF009C6751151F7F114113A96D2760A255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.031{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_via_stdin.yml.tmpMD5=59BF060125A3434DADFADD74119CA506,SHA256=8C68E069B9CA593A259E6E7789041C3C1837322F1794CD28C666F3B3816DD2A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.027{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_smb_share_reco.yml.tmpMD5=68EEF06DFAE5060AA1B77B6464CA515B,SHA256=430B5DF95E1B96F305A72F9F3837D6B02A8B0D4D8CDB38D599A81E885F084938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.024{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_zip_compress.yml.tmpMD5=12786C21A0E3239DC5C1C36C4E74F873,SHA256=BBEA6EADB8D07D7C74BFD33CC76CF500A2BEA25DBB175D31588DCDC329F0F925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.023{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_via_var.yml.tmpMD5=683807827CCF8BBB9EC6976987266A63,SHA256=58D9F5A0A85589DB5511B5F166680565122FFF9AD1959A4071F156E0E0327D8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.022{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_decompress_commands.yml.tmpMD5=08877FFB9A8B34D38D4333011D5F30E2,SHA256=B42202C85C9CED372E7BCF2AA9CF5F2D6FBEE89F360D9270251DE6972FC080E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.021{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_get_clipboard.yml.tmpMD5=A40DDE7D9C66C682AEEB9C0C5E35654D,SHA256=4D94A8C86186E33455D0F33DCE10461A12D737DC5D9662185902C49C3F02BCDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.019{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_via_use_mhsta.yml.tmpMD5=F22D4D50108CB93178BCD9D16C850D7A,SHA256=17646C6BA9F2EC39D860E4299F7BC942CB2E403BE47616649415DC2EC2204FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.018{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_athremotefxvgpudisablementcommand.yml.tmpMD5=CF3FAE04E37915ABF7A1E98E66B30755,SHA256=F65EEFC9B6577104E1BE8FC269CAF0FFB56E3923A2D5A3B80886DCC7A59985E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.016{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_obfuscated_iex.yml.tmpMD5=384DF2B13409402C75637E21F1FC24DB,SHA256=C83CE8C58A3D8DE538FE4ACEBCC26CFE9E4C6C04A242F74E59B543935CBD4BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.015{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_via_rundll.yml.tmpMD5=0510717E263716F79358A627A1FF1802,SHA256=FD783D8E6D3D7B0BB4D3394960D11EC9EFE3EF8E5F4EEB629E3EA603D98B3E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.014{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_local_group_reco.yml.tmpMD5=CBF46C48666B4BF14560D85712357101,SHA256=AF23450293A5605D56474969AF48F460B544354339D4C6C39733242A59CC9FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.013{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_ad_group_reco.yml.tmpMD5=99C90C9135F92E87268EF24A1811F498,SHA256=F73DC96C4F980F260AAD8B7DE9DA01011A65BD0719FAA13C062EB5F987E6D84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.012{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_alternate_powershell_hosts.yml.tmpMD5=B89602A546199DD8F1242A9DED3A03DB,SHA256=CB015941084DCE3F9BD6D5E24B7BEBF85CB65FF1A7152B7C6854499FB6032768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.011{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_clip.yml.tmpMD5=D2C054DD5FBBAF193B90EA3097F02CE1,SHA256=1C88C25CA83ED08CB5DE82E14B9B0A16A3C58B1183D9CEF23458EADABB1FE27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.009{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_via_use_rundll32.yml.tmpMD5=F98D7889D14F57B635678CBBE772A060,SHA256=24D13508508F4C257E15C8F7D4BCD3E95E536145A08C6761451CABBD32DA92B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.008{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_invocation_generic.yml.tmpMD5=94AE46957AD73A0141989C8D1C0A927D,SHA256=89D674E4647105C53C2FBD865B9636E7ED99EAD4A6F05DB7288607AEC315A052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.007{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_var.yml.tmpMD5=EC87DC2F9BBF4027FA0083EF88A1F0D0,SHA256=50BA81BA6DAD2B9CACD8C71E5FFFB8E34E5A592775B0F22F2C5D6D4A894BF684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.005{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_invoke_obfuscation_via_compress.yml.tmpMD5=A334097C2A1225B85FC8E617563E9029,SHA256=2CA7A2489A637CF4EC527E0020D2452142E84CA03C631E373219BFE70C5400A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.003{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_susp_reset_computermachinepassword.yml.tmpMD5=3B4BE8C7AB9CD88274E955285521B980,SHA256=AAD4E08BB0F8F100700F17584557A0BA6AF3A134844CB2CA87365CE2F7AAB62D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.001{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_module\orig--posh_pm_bad_opsec_artifacts.yml.tmpMD5=BF632D6B2B54FC9506ABF04CF28B2B55,SHA256=F0C4837D6851B3024A6839549B56AB4397C60A1EBA7CD1BE50B04606BBDB61DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:36.000{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_alternate_powershell_hosts.yml.tmpMD5=CB20085FCE9F2AA57F67988E9CA5E051,SHA256=178BA39084258E592DF9A0BB064E4DB242B44C7758D5023E01ADED161C134793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.999{8A63456F-2417-6387-8D02-000000009802}2360NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent-util.exeC:\Program Files\Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\orig--posh_pc_exe_calling_ps.yml.tmpMD5=2E08D097736BB5776B97C97239E6EDBB,SHA256=2C44569B613645DCDFDF39B546A34F8A2AE369DD52A3AADF84664C77EDCC5221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:37.488{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDA2014DBFDB2A744B8A458B96FB554,SHA256=BD0EC30D6F5F1D06AFE7F43A6FC6E3B29B018C2AA56FFB451260F7BBC9830D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:37.393{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FCC951115174F1BE9F3F0789029E649,SHA256=3B46A05A58DF9EDA098881BFA71EF4146AB179F33583AF9C24B303C0AA6E2948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:37.174{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2021C1A70976DF4272499ACBF0524AE0,SHA256=F529DD9C55C3DFAF3246A75F6B4E518F1366821FF1DCE7CB8BD4137FA5E50567,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000843385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:35.584{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54107-false10.0.1.12-8000- 23542300x8000000000000000843384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:37.222{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=48B0E3E531243BBEF439C38124BAF85C,SHA256=ECD5913273B40E6985CF1D1E45574F8321A3B2F342D527860282A63159155C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:37.179{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B8E699B1B76222614F80D4817C98F6C0,SHA256=7B0344588C67EEA529C9FC3B2F6E745148F3EBF968980E96ACD4E9B2CEA7A7DE,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000843382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-CreatePipe2022-11-30 09:36:37.016{8A63456F-2424-6387-9602-000000009802}4784\aurora-agent-pprofC:\Program Files\Aurora-Agent\aurora-agent.exe 17141700x8000000000000000843381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-CreatePipe2022-11-30 09:36:37.016{8A63456F-2424-6387-9602-000000009802}4784\aurora-agent-statusC:\Program Files\Aurora-Agent\aurora-agent.exe 13241300x8000000000000000843380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:36:36.998{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent\EventMessageFile%%SystemRoot%%\System32\EventCreate.exe 23542300x8000000000000000393566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:38.481{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F5A6A20486B379B30D56B9EF0ECD5B,SHA256=78D8E4974FA119250038F118A39AA190ADC53FCB5E6F3C0C6F351312426F2084,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.939{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.914{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.914{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.913{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.913{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.913{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.913{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.913{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.913{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.913{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.913{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.913{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.913{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.913{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9802-000000009802}4148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.913{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9802-000000009802}4148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.913{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.912{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.912{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.912{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.912{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.912{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.912{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.912{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.912{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241F-6387-9502-000000009802}3300C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.912{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241F-6387-9502-000000009802}3300C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.912{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.911{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.911{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.911{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-8F02-000000009802}3268C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.911{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.911{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.911{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.911{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.911{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.911{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.911{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.911{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.911{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.909{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.908{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0800-000000009802}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0800-000000009802}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.907{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.903{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.903{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.903{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.903{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0500-000000009802}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.903{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0500-000000009802}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.903{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.903{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.903{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.903{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.903{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.903{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.903{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.903{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.900{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.900{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.767{8A63456F-2426-6387-9802-000000009802}41484692C:\Windows\system32\conhost.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.762{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.762{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.762{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.762{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.761{8A63456F-2414-6387-7E02-000000009802}4328992C:\Windows\system32\csrss.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000843414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.761{8A63456F-2426-6387-9702-000000009802}4402852C:\Windows\system32\cmd.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000843413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.757{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper"C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{8A63456F-2426-6387-9702-000000009802}440C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd" " 10341000x8000000000000000843412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.730{8A63456F-2418-6387-9102-000000009802}2120652C:\Windows\Explorer.EXE{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.730{8A63456F-2418-6387-9102-000000009802}2120652C:\Windows\Explorer.EXE{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.728{8A63456F-2418-6387-9102-000000009802}2120652C:\Windows\Explorer.EXE{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.723{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-2426-6387-9802-000000009802}4148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.723{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-2426-6387-9802-000000009802}4148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.709{8A63456F-2418-6387-9102-000000009802}21203896C:\Windows\Explorer.EXE{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.709{8A63456F-2418-6387-9102-000000009802}21203896C:\Windows\Explorer.EXE{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.709{8A63456F-2418-6387-9102-000000009802}21203896C:\Windows\Explorer.EXE{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.708{8A63456F-2418-6387-9102-000000009802}21203896C:\Windows\Explorer.EXE{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.707{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2426-6387-9802-000000009802}4148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e30c0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.707{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2426-6387-9802-000000009802}4148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ba330|C:\Windows\System32\SHELL32.dll+e307c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.707{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2426-6387-9802-000000009802}4148C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3050|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.706{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2426-6387-9802-000000009802}4148C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.694{8A63456F-1471-6387-1600-000000009802}12804312C:\Windows\system32\svchost.exe{8A63456F-2426-6387-9802-000000009802}4148C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.694{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2426-6387-9802-000000009802}4148C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.689{8A63456F-2426-6387-9802-000000009802}41484692C:\Windows\system32\conhost.exe{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.675{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-2426-6387-9802-000000009802}4148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000843395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.665{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.665{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.664{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.664{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.664{8A63456F-2414-6387-7E02-000000009802}4328992C:\Windows\system32\csrss.exe{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000843390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.664{8A63456F-2418-6387-9102-000000009802}21205028C:\Windows\Explorer.EXE{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a198f|C:\Windows\System32\windows.storage.dll+a1605|C:\Windows\System32\windows.storage.dll+a10f6|C:\Windows\System32\windows.storage.dll+a2568|C:\Windows\System32\windows.storage.dll+a0f1e|C:\Windows\System32\windows.storage.dll+a3abd|C:\Windows\System32\windows.storage.dll+a41fc|C:\Windows\System32\windows.storage.dll+a3560|C:\Windows\System32\windows.storage.dll+923aa|C:\Windows\System32\windows.storage.dll+92106|C:\Windows\System32\SHELL32.dll+4ca19|C:\Windows\System32\SHELL32.dll+4b5c6|C:\Windows\System32\SHELL32.dll+6d139|C:\Windows\System32\SHELL32.dll+e7e5e|C:\Windows\Explorer.EXE+91a26|C:\Windows\Explorer.EXE+11a0b|C:\Windows\Explorer.EXE+1187e|C:\Windows\Explorer.EXE+f7c2|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000843389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.661{8A63456F-2426-6387-9702-000000009802}440C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd" "C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000843388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.601{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4ED66A3878474D9B8556A1F787E780E,SHA256=D001329D55E42C8CD4B6343A70674A131FBB69F5BCCBF90471651C5E9801FB54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:38.319{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CECD51063C0432C5F0BB4A22E903A6B7,SHA256=7FC2F009B3F8AF8263D34B716F08F667F58FAB3C9CFE94A03B78D8A14E9D13DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:39.560{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2BB4CC0C3843F793D0855D5FFC49201,SHA256=680FBB1721CC99AA280BD7C897A33F1B25618305B59117ACC7EC73F8D24A73B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.974{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fnw1b50t.khk.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.973{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4fmmnocq.wom.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000843550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.817{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4fmmnocq.wom.ps12022-11-30 09:36:39.817 10341000x8000000000000000843549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.758{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.750{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.695{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3192140FA04C4C85F134D2246501A7C2,SHA256=817D39B4D49CAA1C23F31BDC1FF31CED50AF5EB8CD579192AE88CBF5C8108EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.689{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24B333CD93C1B003CE02CE9D2784A289,SHA256=4ABBD1451909448428F5EC2F6000780F54C0AD80F155A83E0A599249B1A2FB56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:35.787{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50496-false10.0.1.12-8000- 23542300x8000000000000000843545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.599{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAED2F3378ADB2E48CBED4F751DB72AE,SHA256=2442C4E36870CF551B35ABB5CDBE01E42AFCF6C6CD18AAC2349F97D9856340CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.546{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.546{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.546{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.546{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.543{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.469{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.458{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.457{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.457{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.457{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.457{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.452{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.076{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8D5300E84B42BA38475CC1365EEB8E,SHA256=20D1F017B0AD71335B429F04B9F59570A418A163EBE4B0750312F71AC98FB395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:40.648{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A3D88AEA297652C67102F3E9733E02,SHA256=DC6DF9FB37E4C0FF4E4FEB60E9CB3B825A6035BA43692A9B0DEC0D3CC11A2401,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.976{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.935{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.898{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.860{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.854{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9064B2FE62528FC7519C1EDD49EAA467,SHA256=D517AD58FBA0CF30C3277916ED5737BADCBF11D975EDD63DFF9F9E0E8D03E78E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.828{8A63456F-1471-6387-1200-000000009802}7761076C:\Windows\System32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.828{8A63456F-1471-6387-1200-000000009802}7761076C:\Windows\System32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.824{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.823{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3FCF2EBE4C50FA847EB4B2C9CA1B05CC,SHA256=29A8C810C76C34FB167CA39BC4575240DDEC31A79F67CA9E41F7D998BFCF0D72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.784{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.749{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:40.335{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:40.335{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:40.335{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.711{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.676{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.637{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.599{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.595{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.595{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.595{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.595{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.595{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.594{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.594{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.560{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.525{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.506{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F2210285AF37616A5835E51059C9F42D,SHA256=5BAC7ADB02FE85AB25A57F00F16B20970F8F41B4B58B6715E7F34A24A5C608D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.500{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.484{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.444{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.401{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.360{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.284{8A63456F-1471-6387-1600-000000009802}12801452C:\Windows\system32\svchost.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.284{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.201{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.201{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000843553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-CreatePipe2022-11-30 09:36:40.146{8A63456F-2426-6387-9902-000000009802}4176\PSHost.133142745987571151.4176.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x8000000000000000843627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.984{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.948{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.916{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.880{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.872{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=70EE93476EBF916A8F99D420304148AF,SHA256=159603CE2351F9228EFA3491373E4699223036F920DEAC71AABE7BA2652F36DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.847{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.826{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A8470C5A3196C1211EE337D0C82FC1,SHA256=8409EE4718949C807396FDAECFC0B0C65894380975BD5DFC07EB030C925EB5CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.811{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.802{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=80F709D7B006025900AF5C08BB19C995,SHA256=399753C0D42D7D803189FE59AB2A122BFDBC29F1BFDF4F10F7422CD955FC3BB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.776{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:41.709{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D0C631FB1F1DC01B1C759C1568DA3B,SHA256=53864C80567FF0DB509F277D62600EBF2F9329E7E5205B24079E992624625B64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.739{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.706{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.671{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.664{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=060DF952F9A01038FC2E51C3B575BE87,SHA256=AA40162F6F44C03AF394CBDE37FBED656E081A456712E8869A3656B00D1B9B10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.638{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.604{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.573{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.570{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7E376105EE23407AC875519CA2E6E5DF,SHA256=CC23A92277483826D91FB4B9CB41CA4D5B9555E64BF65FCF438B00070EFEEEBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.530{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.495{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.460{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.429{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.395{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.386{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A558764674CFF1E7017F4129B909617D,SHA256=D070FBA76474F91002639669A68681FBF15EDB8C24CA83899B846576C94E4944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.360{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.337{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3A2AC7D1B372EE64E48EAA9DA3144355,SHA256=1D0461AC738DF44307C3A65CC255ABB955DD72369CB0203169A05E07EF8F0D44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.321{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.287{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.254{8A63456F-2417-6387-8502-000000009802}20564120C:\Windows\System32\RuntimeBroker.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000843598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.254{8A63456F-2417-6387-8502-000000009802}20564120C:\Windows\System32\RuntimeBroker.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000843597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.244{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.239{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000843595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.239{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000843594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.206{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.168{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.161{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5D209E59AFAFD694203761472D7E8256,SHA256=4213A855C87D14E0B354A64F738B52498D47AD7150E8C39DF6F75A9906FFF309,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.134{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.092{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.058{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.014{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.945{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.945{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.944{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.907{8A63456F-2426-6387-9802-000000009802}41484692C:\Windows\system32\conhost.exe{8A63456F-242A-6387-9E02-000000009802}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.907{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.907{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.907{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.907{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.907{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-242A-6387-9E02-000000009802}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000843706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.907{8A63456F-2426-6387-9902-000000009802}41765240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8A63456F-242A-6387-9E02-000000009802}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+7d8c71|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+7d807a|UNKNOWN(000001C7F0FCC9A1)|UNKNOWN(000001C7F0FCC9A1)|UNKNOWN(00007FFF76329580)|UNKNOWN(00007FFF76303542)|UNKNOWN(00007FFF7630317D)|UNKNOWN(00007FFF76DCB89B)|UNKNOWN(00007FFF762C00EF)|UNKNOWN(00007FFF76323B61)|UNKNOWN(00007FFF76305B70)|UNKNOWN(00007FFF76305B70)|UNKNOWN(00007FFF76305A01)|UNKNOWN(00007FFF762F6721) 154100x8000000000000000843705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.915{8A63456F-242A-6387-9E02-000000009802}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\4qtgqqrk\4qtgqqrk.cmdline"C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper" 11241100x8000000000000000843704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.907{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4qtgqqrk\4qtgqqrk.cmdline2022-11-30 09:36:42.907 11241100x8000000000000000843703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localDLL2022-11-30 09:36:42.907{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4qtgqqrk\4qtgqqrk.dll2022-11-30 09:36:42.907 10341000x8000000000000000843702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.907{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.882{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\r3pqbxr5\r3pqbxr5.outMD5=7E29CCC1412E1F6FA2A70430E533A01B,SHA256=7FA3330EAE39854D78EBCFE3AE1A2E3405BC8B02A4465257E43E624191930699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.881{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\r3pqbxr5\r3pqbxr5.0.csMD5=8FF6F77DCD753AB363A73156E14F84A4,SHA256=8519D9175C9469562474AF2F653BE4686167F1F9BCBF7BEE1815755212EF17E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.880{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\r3pqbxr5\r3pqbxr5.cmdlineMD5=1A7D08DDD32AC3A728DF04C8CAC4F18C,SHA256=409FBFB8FCA274404840AFF5B90B1618C5931E9403198AB34524FBCA3E436948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.878{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\r3pqbxr5\r3pqbxr5.dllMD5=1CDBE398047FB4057A1F6686D0C1365C,SHA256=9C5EC361155B5F86C4A7F10D639ABBD8233AEAF0241302D09951D947D4EFF664,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 10341000x8000000000000000843697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.873{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.853{8A63456F-242A-6387-9C02-000000009802}5388ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\r3pqbxr5\CSC76D1CDB1BE6436C98D05076D2AF7DF7.TMPMD5=FFB66E9E0C2859E578C5C3E074976C4E,SHA256=2BCA61FDEF41CC18A6CA2120365F98243931AF833E3D63C3BBEFA3DB6FCDFD29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.837{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.804{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.769{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000843692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localDLL2022-11-30 09:36:42.766{8A63456F-242A-6387-9C02-000000009802}5388C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\r3pqbxr5\r3pqbxr5.dll2022-11-30 09:36:42.336 23542300x8000000000000000843691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.766{8A63456F-242A-6387-9C02-000000009802}5388ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\r3pqbxr5\r3pqbxr5.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.759{8A63456F-242A-6387-9C02-000000009802}5388ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES817B.tmpMD5=18604C1D216210B935F72EE474091AF8,SHA256=7FFCC19FB5029150B0E23E2350923FE175EE2CF03545399D7CBD6AD91B7B16CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.733{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.698{8A63456F-242A-6387-9D02-000000009802}5416ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES817B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.698{8A63456F-2426-6387-9802-000000009802}41484692C:\Windows\system32\conhost.exe{8A63456F-242A-6387-9D02-000000009802}5416C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.698{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.698{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.698{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.697{8A63456F-2414-6387-7E02-000000009802}4328992C:\Windows\system32\csrss.exe{8A63456F-242A-6387-9D02-000000009802}5416C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000843682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.697{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.697{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.697{8A63456F-242A-6387-9C02-000000009802}53885392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{8A63456F-242A-6387-9D02-000000009802}5416C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000843679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.695{8A63456F-242A-6387-9D02-000000009802}5416C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES817B.tmp" "c:\Users\Administrator\AppData\Local\Temp\r3pqbxr5\CSC76D1CDB1BE6436C98D05076D2AF7DF7.TMP"C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{8A63456F-242A-6387-9C02-000000009802}5388C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\r3pqbxr5\r3pqbxr5.cmdline" 10341000x8000000000000000843678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.667{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.633{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.598{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.562{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.531{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.497{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F20FB55B55CEC904AC0B6F6FF500748,SHA256=167367E33C98D4AECFDC215213D45127C41C5BFEA853ABDE9889F6B3EADB4222,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.497{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.465{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.423{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.396{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A4AD46B1BBD927033A821F2E54C3168,SHA256=5B082E5A4D597F4630A7C1DA61B5CA318184DEA91542F0BA12F0DA7588454433,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.391{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.379{8A63456F-2426-6387-9802-000000009802}41484692C:\Windows\system32\conhost.exe{8A63456F-242A-6387-9C02-000000009802}5388C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.379{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.379{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.379{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-242A-6387-9C02-000000009802}5388C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000843663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.379{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.379{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.379{8A63456F-2426-6387-9902-000000009802}41765240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8A63456F-242A-6387-9C02-000000009802}5388C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+7d8c71|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+7d807a|UNKNOWN(000001C7F0FCC9A1)|UNKNOWN(000001C7F0FCC9A1)|UNKNOWN(00007FFF76329580)|UNKNOWN(00007FFF76303542)|UNKNOWN(00007FFF7630317D)|UNKNOWN(00007FFF76DCB89B)|UNKNOWN(00007FFF762C00EF)|UNKNOWN(00007FFF76323B61)|UNKNOWN(00007FFF76305B70)|UNKNOWN(00007FFF76305B70)|UNKNOWN(00007FFF76305A01)|UNKNOWN(00007FFF762F6721) 154100x8000000000000000843660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.345{8A63456F-242A-6387-9C02-000000009802}5388C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\r3pqbxr5\r3pqbxr5.cmdline"C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper" 10341000x8000000000000000843659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.357{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000843658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.336{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\r3pqbxr5\r3pqbxr5.cmdline2022-11-30 09:36:42.336 11241100x8000000000000000843657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localDLL2022-11-30 09:36:42.336{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\r3pqbxr5\r3pqbxr5.dll2022-11-30 09:36:42.336 10341000x8000000000000000843656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.326{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000843655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.326{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000843654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.325{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000843653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.325{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.325{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000843651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.325{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000843650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.324{8A63456F-2417-6387-8602-000000009802}18484768C:\Windows\system32\sihost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.322{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000843648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.322{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000843647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.322{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000843646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.321{8A63456F-2417-6387-8602-000000009802}18481600C:\Windows\system32\sihost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000843645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.357{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54111-false13.64.180.106-443https 354300x8000000000000000843644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.282{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53844- 354300x8000000000000000843643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.116{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54110-false72.21.91.29-80http 354300x8000000000000000843642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:40.071{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54109-false40.126.28.12-443https 354300x8000000000000000843641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.831{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54108-false72.21.91.29-80http 354300x8000000000000000843640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:39.813{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local58263- 10341000x8000000000000000843639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.289{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.254{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.250{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1DE00B3C560081D63BB9C418CCD21314,SHA256=FB04561CAB86639194F027BB6090F98DA5B47B9EB89AB1C7CDF802EA552AA796,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.218{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.185{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.149{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.144{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E380E8830F410797AA2C75A93A66F6F1,SHA256=33E3FC08E762306C147BF628E32B67841DD63335E35783802781CC86E2D54DDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.117{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.082{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.052{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.040{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=01562FCD8371E28E08E92D37C8867559,SHA256=1A5FAC220C1A4E2D4CECED92294A0CCF0D3DABAE6A84EB92A4B857FC04EB4BEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.017{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:42.803{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E88426B474C4C26F53397AEEA9ED47,SHA256=717077DB6DCD169CED53E36622560A5249004ACA18E538B8693EE43309802DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.987{8A63456F-242B-6387-A202-000000009802}5592ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\b2pxxd2v\CSC40D692BBA2264A119D9548999FD491.TMPMD5=FC80BC68E08AB80AEB4B7E6C2BE3D84D,SHA256=192E1F9F718521AA7AF3A5A1CF76893CDB5A8E10B81F4EDEE2B20F14A8438D77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.954{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD6AB898F5551099401C6E5CE6C6CEC,SHA256=C20C788AA838A7B11DE259253A2612D7256BEBB77DFCF5B44892B4F9756ED27A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.954{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F2DE045B3B9F52502E5F85CCBAADACBB,SHA256=E094B00F6920A77904BC60383C575FB51368DB7D9D13DCC728C63DA811D4C4D0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000843915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localDLL2022-11-30 09:36:43.907{8A63456F-242B-6387-A202-000000009802}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\b2pxxd2v\b2pxxd2v.dll2022-11-30 09:36:43.757 23542300x8000000000000000843914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.907{8A63456F-242B-6387-A202-000000009802}5592ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\b2pxxd2v\b2pxxd2v.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.907{8A63456F-242B-6387-A202-000000009802}5592ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES8600.tmpMD5=AC5A38EAA61D4C963912CD2605F21E52,SHA256=4A44DA86FB1F5A91EDE3E0629292728133968CAD83CC31946632095ACC8DAC05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.857{8A63456F-242B-6387-A302-000000009802}5616ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES8600.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.849{8A63456F-2426-6387-9802-000000009802}41484692C:\Windows\system32\conhost.exe{8A63456F-242B-6387-A302-000000009802}5616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.847{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.847{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.847{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.847{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.847{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-242B-6387-A302-000000009802}5616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000843905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.846{8A63456F-242B-6387-A202-000000009802}55925596C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{8A63456F-242B-6387-A302-000000009802}5616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000843904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.846{8A63456F-242B-6387-A302-000000009802}5616C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES8600.tmp" "c:\Users\Administrator\AppData\Local\Temp\b2pxxd2v\CSC40D692BBA2264A119D9548999FD491.TMP"C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{8A63456F-242B-6387-A202-000000009802}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\b2pxxd2v\b2pxxd2v.cmdline" 10341000x8000000000000000843903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.764{8A63456F-2426-6387-9802-000000009802}41484692C:\Windows\system32\conhost.exe{8A63456F-242B-6387-A202-000000009802}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.761{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.761{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.761{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.761{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.760{8A63456F-2414-6387-7E02-000000009802}4328992C:\Windows\system32\csrss.exe{8A63456F-242B-6387-A202-000000009802}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000843897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.760{8A63456F-2426-6387-9902-000000009802}41765240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8A63456F-242B-6387-A202-000000009802}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+7d8c71|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+7d807a|UNKNOWN(000001C7F0FCC9A1)|UNKNOWN(000001C7F0FCC9A1)|UNKNOWN(00007FFF76329580)|UNKNOWN(00007FFF76303542)|UNKNOWN(00007FFF7630317D)|UNKNOWN(00007FFF76DCB89B)|UNKNOWN(00007FFF762C00EF)|UNKNOWN(00007FFF76323B61)|UNKNOWN(00007FFF76305B70)|UNKNOWN(00007FFF76305B70)|UNKNOWN(00007FFF76305CF0)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+11a522 154100x8000000000000000843896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.761{8A63456F-242B-6387-A202-000000009802}5592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\b2pxxd2v\b2pxxd2v.cmdline"C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper" 11241100x8000000000000000843895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.758{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\b2pxxd2v\b2pxxd2v.cmdline2022-11-30 09:36:43.758 11241100x8000000000000000843894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localDLL2022-11-30 09:36:43.758{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\b2pxxd2v\b2pxxd2v.dll2022-11-30 09:36:43.757 10341000x8000000000000000843893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.686{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.631{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C41BC9E0A449DA0417C0A14DD4D4D813,SHA256=3094189651E5625A70708F2D7410E1B9CF68DF5406B95F1D142DEA43AEB35B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.522{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=84D8E67587EC79371450BE3E9828256B,SHA256=FC347ED4AEE67B9C0E286B68D5E276E1AECB6EF51D47EB5BC2383D488D1CDF02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.461{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\mngaqsjp\mngaqsjp.outMD5=613C0A6B165BCF95D6CD55AF2025B7CF,SHA256=ADF29ECDBAB2010E542F6BC31043F4DF69E40E857A5F12D7588F5CD73E6822CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.460{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\mngaqsjp\mngaqsjp.cmdlineMD5=CEA361E77345C0C01FDDD5430AE1F01D,SHA256=8766C9ABD2B69F7945C3DDC72E97569C9D24B8F5A929AF35146E7E13EDAAAD09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.458{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\mngaqsjp\mngaqsjp.0.csMD5=986DE8D150F07C409E63595ED82A418D,SHA256=B5932B6734CB4CD024A1935D17BA61F0B3AA4861E711D29699298F405012AA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.457{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\mngaqsjp\mngaqsjp.dllMD5=8A5C68DD9162F99C621F34FF057E0EF1,SHA256=10D10FC06DEBFE271E5C24664D2D852629A4CF1E3880AF178DB06C6C82E7CCFC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000843886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.437{8A63456F-242B-6387-A002-000000009802}5512ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\mngaqsjp\CSC115D4E6AC23D41EC8CA9D596CD5255C.TMPMD5=EDC0FDBE4F1A38A84F87889932D057AC,SHA256=6058B1C62D31B2FEFF70BE56E49FD15E2DCA0976BE81F54E9555BB45F69E84A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.407{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.407{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.407{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 11241100x8000000000000000843882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localDLL2022-11-30 09:36:43.391{8A63456F-242B-6387-A002-000000009802}5512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\mngaqsjp\mngaqsjp.dll2022-11-30 09:36:43.232 23542300x8000000000000000843881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.391{8A63456F-242B-6387-A002-000000009802}5512ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\mngaqsjp\mngaqsjp.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.390{8A63456F-242B-6387-A002-000000009802}5512ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES83FC.tmpMD5=7536C6DC4CFC55150C24386657E0D20B,SHA256=8DFE6EC26C92C13D9DD448CED46C90539FACFD19E316B1495042860B5AE37B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.351{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CA4923BCD65A42FA6F3106B42A4522,SHA256=2E0EA4483791F74D4E97D37483B861F4C2F834073A03BDB538D522C0DE15D9BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.343{8A63456F-242B-6387-A102-000000009802}5536ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES83FC.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.337{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.337{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.337{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.336{8A63456F-2426-6387-9802-000000009802}41484692C:\Windows\system32\conhost.exe{8A63456F-242B-6387-A102-000000009802}5536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.333{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.333{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.333{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.333{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-242B-6387-A102-000000009802}5536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000843869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.333{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.333{8A63456F-242B-6387-A002-000000009802}55125516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{8A63456F-242B-6387-A102-000000009802}5536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000843867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.333{8A63456F-242B-6387-A102-000000009802}5536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES83FC.tmp" "c:\Users\Administrator\AppData\Local\Temp\mngaqsjp\CSC115D4E6AC23D41EC8CA9D596CD5255C.TMP"C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{8A63456F-242B-6387-A002-000000009802}5512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\mngaqsjp\mngaqsjp.cmdline" 354300x8000000000000000843866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.568{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54112-false10.0.1.12-8000- 10341000x8000000000000000843865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.331{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.331{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.331{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.330{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.330{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.330{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.239{8A63456F-2426-6387-9802-000000009802}41484692C:\Windows\system32\conhost.exe{8A63456F-242B-6387-A002-000000009802}5512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.236{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.236{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.236{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.236{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.236{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-242B-6387-A002-000000009802}5512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000843853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.235{8A63456F-2426-6387-9902-000000009802}41765240C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8A63456F-242B-6387-A002-000000009802}5512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+7d8c71|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+7d807a|UNKNOWN(000001C7F0FCC9A1)|UNKNOWN(000001C7F0FCC9A1)|UNKNOWN(00007FFF76329580)|UNKNOWN(00007FFF76303542)|UNKNOWN(00007FFF7630317D)|UNKNOWN(00007FFF76DCB89B)|UNKNOWN(00007FFF762C00EF)|UNKNOWN(00007FFF76323B61)|UNKNOWN(00007FFF76305B70)|UNKNOWN(00007FFF76305B70)|UNKNOWN(00007FFF76305A01)|UNKNOWN(00007FFF762F6721) 154100x8000000000000000843852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.236{8A63456F-242B-6387-A002-000000009802}5512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\mngaqsjp\mngaqsjp.cmdline"C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper" 11241100x8000000000000000843851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.232{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\mngaqsjp\mngaqsjp.cmdline2022-11-30 09:36:43.232 11241100x8000000000000000843850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localDLL2022-11-30 09:36:43.232{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\mngaqsjp\mngaqsjp.dll2022-11-30 09:36:43.232 23542300x8000000000000000843849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.216{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=757CDD3DDD253A9D5E3E2E4E78995234,SHA256=9656EEB3CBAEAD48F9D4F5BAA00198F342183A3727CA87A3D3A7A8E2737AF532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.214{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1BAE7A6FF11E301C9DD42F4E6984E7,SHA256=29A98F6639D58A114F7CC2A7B850FE2A83B6EDACAFDCC739D0FD029CBC958D3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.204{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.204{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.204{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.198{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.198{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.198{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000843841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.166{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4qtgqqrk\4qtgqqrk.cmdlineMD5=5165C28D261920F965171BE8D71C7D29,SHA256=E65F0C8FE89BF37FC25C133EC70EAE7A59BE4B6898F01C66EF7C45306F17154F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.164{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4qtgqqrk\4qtgqqrk.dllMD5=B385EF1663B96AC1F780A7D81560D66A,SHA256=C840FB74BD76FE0C0D1CDBDB5D006915E9C87820C39CEE0FDDA7D4EF934E0230,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000843839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.163{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4qtgqqrk\4qtgqqrk.outMD5=BA19E6BF991FD8DBBD53268B27F260BC,SHA256=D82042FDE1298B2F6368208F26C2D4612E612EB82CCEC04591DE2D007B197924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.162{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4qtgqqrk\4qtgqqrk.0.csMD5=3E8D350584B97FFDF25D6635F115BEC5,SHA256=9902627C6BD17B59BDE225344798F5875AF7AB2DF7EEF96A41DD502191A287A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.144{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.144{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.144{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000843834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.141{8A63456F-242A-6387-9E02-000000009802}5448ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\4qtgqqrk\CSCD946D4EF881B45C69779746E53723B47.TMPMD5=834B24D1362BF901BB5FEC054C1A418B,SHA256=940AA014F16802A37FB62DB7A74ED5CBFB5764D0DC3B322730DABD483106CD17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.116{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.116{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.116{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.116{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.116{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.116{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.115{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.115{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.115{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.115{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.115{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.115{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.114{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.114{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.114{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.113{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.113{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.113{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.108{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.108{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.108{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.107{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.107{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.107{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.106{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.106{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.106{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.105{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.105{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.105{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.104{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.104{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.104{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.101{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.100{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.100{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.099{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.099{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.099{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 11241100x8000000000000000843794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localDLL2022-11-30 09:36:43.094{8A63456F-242A-6387-9E02-000000009802}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\4qtgqqrk\4qtgqqrk.dll2022-11-30 09:36:42.907 23542300x8000000000000000843793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.094{8A63456F-242A-6387-9E02-000000009802}5448ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\4qtgqqrk\4qtgqqrk.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.093{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.093{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000843790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.093{8A63456F-242A-6387-9E02-000000009802}5448ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES82D3.tmpMD5=63077FF10FAEE0ACCA6637597D013D2C,SHA256=8247BFBA4B696EBD0137E1C8404C12B0CB3A2B50FF1D1C3D876EE763ED370A27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.093{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.087{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.087{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.087{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000843785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.079{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A34490934197E02FB0D7407AAE9B10,SHA256=934E12E3EA7B668E5C1C930C2F8ABEFA2F62B681AE3CC580FAEABBC0999AEA0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.070{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E8F7887A6E47B0CE6130215D60DE9218,SHA256=ACC28A59F12694B27A6D40F3EE053064ADA4DCC8A0D51B2E815BFCBDC52AC085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.069{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4508B8EA44C2E3242ABBE2E619F04046,SHA256=C1033F2A75A15BFC48E32DB386312E7BC832B5D44680CA77EBF3E2503EACB45D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.069{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83611B7CCE3BD456EB2DBEB8B66F37FD,SHA256=8F88A9FA13717E8BC5B93223C38D19AAE63B7BA15826C262357686A99687E082,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.060{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.060{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.060{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000843778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.037{8A63456F-242B-6387-9F02-000000009802}5468ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES82D3.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.029{8A63456F-2426-6387-9802-000000009802}41484692C:\Windows\system32\conhost.exe{8A63456F-242B-6387-9F02-000000009802}5468C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.026{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.026{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.026{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.026{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.026{8A63456F-2414-6387-7E02-000000009802}4328992C:\Windows\system32\csrss.exe{8A63456F-242B-6387-9F02-000000009802}5468C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000843771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.025{8A63456F-242A-6387-9E02-000000009802}54485452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{8A63456F-242B-6387-9F02-000000009802}5468C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.025{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0800-000000009802}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 154100x8000000000000000843769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.025{8A63456F-242B-6387-9F02-000000009802}5468C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES82D3.tmp" "c:\Users\Administrator\AppData\Local\Temp\4qtgqqrk\CSCD946D4EF881B45C69779746E53723B47.TMP"C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{8A63456F-242A-6387-9E02-000000009802}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\4qtgqqrk\4qtgqqrk.cmdline" 10341000x8000000000000000843768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.025{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0800-000000009802}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.025{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0800-000000009802}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.024{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.024{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.024{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.009{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0500-000000009802}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.009{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0500-000000009802}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.009{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0500-000000009802}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.006{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.006{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.006{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.996{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.996{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.996{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.992{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.992{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.992{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.991{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.991{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.991{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.991{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.991{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.991{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.991{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.991{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.989{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.989{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.989{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.989{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.989{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.989{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.989{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.986{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.986{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.986{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.986{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.986{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.985{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.985{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.985{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.984{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.984{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.984{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.984{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.984{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.984{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.984{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.984{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.981{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.981{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.981{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.981{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:42.981{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000393603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.633{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.630{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.628{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.626{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.625{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.623{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.622{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.620{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.619{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.615{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.614{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.609{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.606{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.601{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.594{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.592{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.576{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.571{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.564{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.557{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.551{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.520{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.510{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.505{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.498{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.496{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.493{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.490{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:43.487{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000843955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.870{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.743{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.743{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.743{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.742{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.742{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.742{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000843948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.692{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C56ADFB55C64F166258078E3B99AB048,SHA256=0013E201C8F14E25AB4FD77016F4A11461B5095B292B87DB226F778D941E64CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000843947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.766{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60945- 354300x8000000000000000843946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.738{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local60945- 354300x8000000000000000843945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:41.738{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local60030- 10341000x8000000000000000843944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.539{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.539{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.539{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.536{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.536{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.536{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.518{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.518{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.518{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.513{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.513{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.513{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.498{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.498{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.498{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.448{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.448{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.448{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000843926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.372{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3A28ABC46B2FF637AC88833DB2F4BB43,SHA256=054C85015FAB9AC9D5FB7FF1084C528CD1498D9C78DFB4A1274D46A8F5358BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.269{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B9755255761D97C615E526372651CCFC,SHA256=050B52023B3D3EEEEF5E7D8C56F9EDE697EE1D11DE77C51D9956D43F7D778CD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.185{8A63456F-2417-6387-8602-000000009802}18481600C:\Windows\system32\sihost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.167{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=54C5604CAE1DC23872B800407C2FADA5,SHA256=A82EAE4D2711185E16966AB7D4B7F8962FD43E35911DD3EE6D762438209662C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.012{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\b2pxxd2v\b2pxxd2v.0.csMD5=D9ACA9FFA16C22410A16DE5D5571469D,SHA256=74E86BCD8E601DAC165642F69B571B651867BE0251D7B3D9498D1F080E4D8391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.010{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\b2pxxd2v\b2pxxd2v.cmdlineMD5=CE0A614C047DCA614A49C18F61BD8CC4,SHA256=AC2F061CBB82577D92B6C12B03B5C1278CC6E77DEB4264F4E4F9FB6731BE6FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.008{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\b2pxxd2v\b2pxxd2v.dllMD5=B565C15DACF31E9415A45785ADC32CFC,SHA256=F3D4AC5FB4F87E20076B7A3C9D126F93712290A5DA3C280A6BF0D9AF713E56E7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000843919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.008{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\b2pxxd2v\b2pxxd2v.outMD5=AF639051EC16AC96C8CCE7860810410B,SHA256=4CDAFF7E142A1B71542CA9F80F35D698FB559E17BD0617EE99CFC7F3B2A54540,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:41.791{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50497-false10.0.1.12-8000- 23542300x8000000000000000393604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:44.182{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3269142CBE8D0C5262AC1481DA4DE43,SHA256=4CD67C96B073757634B790C9F3C0767BADFE506BE3E532D2F4D46AE2C3B6E9CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.923{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.922{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.595{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.595{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.595{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.595{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.595{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9702-000000009802}440C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.592{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.592{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 354300x8000000000000000843970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.780{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54116-false169.254.169.254-80http 354300x8000000000000000843969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.759{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54115-false169.254.169.254-80http 354300x8000000000000000843968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.715{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54114-false169.254.169.254-80http 354300x8000000000000000843967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:43.668{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54113-false169.254.169.254-80http 10341000x8000000000000000843966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.591{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.591{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.591{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000843963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.354{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000843962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.220{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C72128593392F161EC8455D7C183B5,SHA256=A7EF8B06E5A94DF36FA1C1E506A856E59C8C5367861E36F260F787FC07AFEFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.219{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2098BFA232163EEC99FECA63444F397C,SHA256=F38E5BBFF4FADCE0F8138F694964FD1A42D31F0D24C3FEEAB0F69AE9057CAA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.218{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D9FB2CC9FDB040FF5E2371CCE6597F2,SHA256=6A986420834A7BCF765382DAC4BAB6AC434C4CA82F8C71E0C5DC60426C3A7508,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.120{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.120{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.119{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:45.119{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:45.257{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C2E3BC70B4DA40DD9E005794940E5B,SHA256=B5B3BF5F2FBD703CC4CF0653AE085BBF035692855992FBDB57964F6F10551B39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.980{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.980{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.980{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.980{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.978{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.978{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.833{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.833{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.833{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.833{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.831{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.830{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.748{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.748{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.748{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.748{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.745{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.745{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.692{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.692{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.692{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.691{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.690{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.690{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.686{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000843987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.686{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000843986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.394{8A63456F-2426-6387-9902-000000009802}4176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.294{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=C720ECCDD1FFE4B9C4F4E54032035A7C,SHA256=3182F4EFAFE698A4057171F7BDA0623EDC670323ECBB98F251712C201DE559B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.226{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E6C4E862DB60CC50786D684EC937CD6,SHA256=CA8F89EA06488F09C73C45B858DD6D4DE70838E0673251C3C24636522FB3994A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.224{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B88CDA0442E34CF9B1E3FB45E60D1E1,SHA256=6BE51709F71864E69E3429D30D5B67A5EBBA923FEFF99A31481FD0E6806170F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.223{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8086F916748ACF901914A59863654DA1,SHA256=7FB95AF557EB6537CCFD95ED75E58C629BDCB5CDD6B3A8D8D9639DC0AFF6EF3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000843981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.220{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaperMD5=083834EEFE239833051C4EF6B59C8B11,SHA256=CCBF5911EB1AF39ADDC27BCA38EE479C5D19017D3854811C3A7764DFEA31F332,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000843980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.161{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:46.327{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886EEF5AC1F5FDCBD61BA31AD862D031,SHA256=97A62EB65CE7B1020BA24A524327BA936EF552EEBBFD162956BE2076DF7CCEB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:46.209{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000844056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.907{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1342E39FD2B32390A3D617A49D7FE0FB,SHA256=6025DD352F2D109D09C2321D4CF863D0A82583A78785FCA6FA99A493C9943EF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.623{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.623{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.623{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.623{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.621{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.621{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.621{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.621{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.619{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.619{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.615{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.614{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.612{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.612{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.606{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.606{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.606{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.606{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.606{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.603{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.603{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 354300x8000000000000000844034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.948{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54119-false169.254.169.254-80http 354300x8000000000000000844033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.946{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54118-false72.21.91.29-80http 354300x8000000000000000844032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:44.928{8A63456F-2426-6387-9902-000000009802}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54117-false169.254.169.254-80http 10341000x8000000000000000844031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.318{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.318{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.318{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.318{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.317{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.316{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.316{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.315{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.315{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.314{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.313{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.311{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.311{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.152{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.152{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.151{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.151{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.149{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:47.149{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000393609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:47.401{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26703384D60E622CDC03AE065262A0F1,SHA256=39C9A4EA7BF104DD979F437F128837DE537BAD8FD837A0158E782D26AAE16E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.909{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC69B0DA167121350FFB5B972D87876,SHA256=D310EA38489871B623832C35F5A65E8C15696D3CC71D0B345C29401BFE39F760,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.199{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.199{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.199{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.199{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.199{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.197{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.197{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.197{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.196{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.196{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.196{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.193{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.193{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.193{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.193{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.191{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.191{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.159{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.159{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.159{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.159{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.159{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.156{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.156{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.107{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.107{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.105{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:48.105{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000393610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:48.476{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13022C4436D6FAD832315F54620D9100,SHA256=84669474F6EDFEC59CBD0FE0FC647F54E83E1C49E1800545273DF02A44152624,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:46.628{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54120-false10.0.1.12-8000- 23542300x8000000000000000844086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:49.511{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA159BA3006DED169BFA5AD3E3EA9F11,SHA256=7A3331717F54A273104B5087D4521C7131816E583D15C7F944F40469A7B54C54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.951{E56ECBBF-2431-6387-7802-000000009902}9361960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.780{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2431-6387-7802-000000009902}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.780{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.780{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.780{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.780{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.780{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.780{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.780{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.780{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.780{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.780{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-2431-6387-7802-000000009902}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.780{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2431-6387-7802-000000009902}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.781{E56ECBBF-2431-6387-7802-000000009902}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.701{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:49.561{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6227CED18FF1A43B39FE1C08FFFC507D,SHA256=BE69DBF6306CA9DF6A8DFF0EBD3CDF3D9DE543CFB4E639A313A404129EEEAB43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:50.586{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1239C6401A22815C318D58405E0D84,SHA256=386F85FA2338CA662C89F27DEBA321DCB4F3691B254782BC3D8431ED265FFD8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:50.446{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=673ADE7BA5D91E9A71A92F98D4DD5676,SHA256=E0A90E1CCDA097C3E413D558262363822A12364925AD96E5ADF5FA90FF7E9FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:50.446{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D71FB58C67805EB00C9DB37F239156EF,SHA256=19D919FFB05D1C150561B36BAE7BA575B944242217DE7093AE66A133207D5B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.926{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAD5B79FFEEAC5A5468C997A4A4CFF27,SHA256=63643942F80D9A2868061979957E99922D3D5C5E0A351F4346ED3309DD07A47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.739{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD45ADA39A34E3C93C590990DC98113C,SHA256=9AF6D87CA6B43CCA62408069AEFBB100A38AD058BE813AAE37C4F8C7B3CED146,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.395{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2432-6387-7902-000000009902}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.395{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.395{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.395{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.395{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.395{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.395{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.395{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.395{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.395{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.395{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-2432-6387-7902-000000009902}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.395{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2432-6387-7902-000000009902}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.396{E56ECBBF-2432-6387-7902-000000009902}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:50.270{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=ACA6E462E661FF0EF35B9B59064A2E22,SHA256=8BE3D0CE4BDCCAC9A19805AFC2669328A060CC6BF2DDB2DB6DA99662AE106E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:51.776{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6CE3E1402850346E3CF467F603CB12,SHA256=D860C799EEE3F30565F30DA2284D1BDD9B765B0532BBBFF84452BD23E6D44A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:51.652{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2CB718B94165C285305F109F012A68,SHA256=B108DD789652CF7A7D128871A95B7AEF9294EA63C990741A7DC3BE86CB74CB9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:51.636{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=32209C551A84D0A2497DCA28849D8FC6,SHA256=AF9FDE941308B33C14E18A02889A775300F54E872787C99BD4F5A762049E83C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:48.439{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50499-false10.0.1.12-8089- 354300x8000000000000000393656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:47.800{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50498-false10.0.1.12-8000- 10341000x8000000000000000393655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:51.268{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2433-6387-7A02-000000009902}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:51.268{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:51.268{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:51.268{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:51.268{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:51.268{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:51.268{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:51.268{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:51.268{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:51.268{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:51.268{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2433-6387-7A02-000000009902}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:51.268{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2433-6387-7A02-000000009902}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:51.269{E56ECBBF-2433-6387-7A02-000000009902}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:52.861{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CDFE135AEDDDEE8316FC02E7303D0B,SHA256=CDBFE5842C9967A91A87937C9CB4F4E858C91CF378139C14E40A2ED1CCAE4B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:52.927{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:52.748{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794108813A1B5DCF26FF5818897F0A66,SHA256=9A792DB6ADC2B8BFB65176A188CDFC060AE09616380D459BC87F644961AA57E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.946{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95447DCCD1F08955C833E122DB321C4,SHA256=98CD771D1DB7AD36EB41518B96B6914E800CA9294A9845109313C4AF3522B93F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:53.833{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48D1F094AE634CA66E60761F8E391BD,SHA256=328B1DE887AFEE6062EF5C685F22C17C579845CA70B2BB09B2C9F858571D4DBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.837{E56ECBBF-2435-6387-7B02-000000009902}23322520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.696{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2435-6387-7B02-000000009902}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.696{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.696{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.696{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.696{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.696{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.696{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.696{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.696{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.696{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.696{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-2435-6387-7B02-000000009902}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.696{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2435-6387-7B02-000000009902}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.697{E56ECBBF-2435-6387-7B02-000000009902}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000844105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:54.907{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152736FBDC9214465674B6D803E9F7CD,SHA256=3E7AEF63D8721F7C4B92082ABD479654838AB202FB7FD58E438E3D8DE93EB85E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.892{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2436-6387-7D02-000000009902}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.892{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.892{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.892{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.892{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.892{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.892{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.892{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.892{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.892{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.892{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2436-6387-7D02-000000009902}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.892{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2436-6387-7D02-000000009902}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.893{E56ECBBF-2436-6387-7D02-000000009902}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000393695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.424{E56ECBBF-2436-6387-7C02-000000009902}360720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.314{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2436-6387-7C02-000000009902}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.314{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2436-6387-7C02-000000009902}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.314{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2436-6387-7C02-000000009902}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.314{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2436-6387-7C02-000000009902}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.314{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2436-6387-7C02-000000009902}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.314{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2436-6387-7C02-000000009902}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.220{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2436-6387-7C02-000000009902}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.220{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.220{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.220{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.220{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.220{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.220{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.220{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.220{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.220{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.220{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2436-6387-7C02-000000009902}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.220{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2436-6387-7C02-000000009902}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:54.221{E56ECBBF-2436-6387-7C02-000000009902}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000844104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:54.829{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:54.829{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:54.829{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:54.778{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:54.778{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:54.778{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:54.778{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:54.775{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:54.775{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 354300x8000000000000000844095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:52.356{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54121-false10.0.1.12-8089- 23542300x8000000000000000393711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:55.974{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB3B86A92C31C4218410CC123163E9F2,SHA256=C58EF291BB46F241678B9DFBDD0DE5447376CEC4B80FB4B01754EDF69410969B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:55.307{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1530086A7DCC9883EEA229C72A1F4CA0,SHA256=8939B2001880AE73DEAA1E135FC8B25C38E6A0F551639F801044CD5C1CC9E73E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:55.025{E56ECBBF-2436-6387-7D02-000000009902}12442500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000844106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:52.653{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54122-false10.0.1.12-8000- 354300x8000000000000000393726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:53.004{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50500-false10.0.1.12-8000- 23542300x8000000000000000393725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:56.138{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD1576225660C376045E3029A29CD12,SHA256=59B8972D608F4B799DA519D40C79AD9E92CF8E384BE7F4FDB4AF1436EE9F3CF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:56.817{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:56.817{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:56.817{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:56.817{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:56.812{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:56.812{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:56.812{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:56.812{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:56.804{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:56.804{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000844107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:56.001{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5E9ED046557163987B9B12DC85CCC9,SHA256=7EBA1AB5D29C4637E8322D2F99C31BBD93DFECCB0F963E288B4AA1EE85993D7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:56.014{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2438-6387-7E02-000000009902}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:56.014{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:56.014{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:56.014{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:56.014{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:56.014{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:56.014{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:56.014{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:56.014{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:56.014{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:56.014{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-2438-6387-7E02-000000009902}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:56.014{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2438-6387-7E02-000000009902}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:56.015{E56ECBBF-2438-6387-7E02-000000009902}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:57.193{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62DCF03FE80C3836DEDB11399F3FD60,SHA256=9A55877C43305CB41EF9EC3B3D6311C6806B7F17E4BE1EF8E118BC577B9D8997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:57.077{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209A4BFD6490027414B169D73747B524,SHA256=F97CFF67C93385AE717D9418C23494CE0C3987FBDFD9E3111CD64272F5E72335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:58.283{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EE4CBE713B1329F0EC86B4FEB46CD9,SHA256=8E65A477DEBDF050D1FCB48375FE4612AEC8F3AF5E2D1C50E0A492D805CC2C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:58.163{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F510301CED8F71424FC8945A20552B64,SHA256=6153C81EA4E7D7A136028E1C353C0E2BAA24973C0FAD9F01D5A28F2BAD3A0A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:59.345{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D9B2ABCCFB4C03EF88945C08626042,SHA256=2615D370128BAE1A1E1798BD7B5A86AED7D36ECDBCC0C8C2E72D533F0ADC7EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:59.259{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=869C454BD232A6660FCC645DB2AAD0CE,SHA256=36E9B4EA0D10DD1FDFB87497F9175AE1E119AEA6A5971C6474ED27B392336D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:00.426{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D4F4DE6EDF683EA2CDB7E36076A803,SHA256=766D12EA80EB39AC3F4F81CE8DD20660C755AA2BC23086D27E868908472D35F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:36:58.485{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54123-false10.0.1.12-8000- 10341000x8000000000000000844146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.625{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.621{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.615{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.613{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.606{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.604{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.603{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.597{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.590{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.587{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.582{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.579{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.544{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.538{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.525{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.520{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.510{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.500{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.491{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.478{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.466{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.441{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.433{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.377{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.371{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 23542300x8000000000000000844121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:00.341{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028EE2ABC27FC4506A2356C38C498F81,SHA256=3A53A34CEF85A81E6C09C1D5907CA4B660A6ACD7718B0E118E27A3623B051B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:01.687{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD97C04816E444A89B5C4C612EA3D069,SHA256=366E87AF3830F1A9614D4BB25E328080F61B5FED8359752482EA4E7C99959DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:01.497{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99FD59B8B00973E59C9EB0BA3846C00,SHA256=F90285075375E5000A5DC4D864ED2576411C0AC634E6FF6D8263C7523EEA4A9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:01.095{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:02.850{8A63456F-1471-6387-0D00-000000009802}9082236C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000844150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:02.772{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CBB53BDA47A47C7F22BC8B7209827D,SHA256=A625D8A165D760626AE4C7EFC4283CDE09157DFEEBC6E1B788852105BED95E19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:36:58.930{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50501-false10.0.1.12-8000- 23542300x8000000000000000393732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:02.587{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF1B84ABCF59C94DE357CB1814F9B12D,SHA256=D15438F19483CA167A31D68AA2AD5E27F956D1C2D85953A794D8361660075A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.833{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022DB343835848E6D354A2B6B877814D,SHA256=9C0DABB392BCB14558D147A3244508A9B287296D7C9AAB7B614086588763550A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.665{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0589F3BBFC70E864C1D01E1ADAEC84C,SHA256=617D51414B6B2920CFDC746CBD2CCF5AD6C4F1B88D246E23F4A358BDD0507734,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.649{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.649{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.647{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.645{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.643{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.640{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.639{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.637{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.635{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.632{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.630{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.626{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.623{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.615{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.608{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.605{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.593{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000844168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.759{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.741{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.737{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.706{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.700{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.687{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.675{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.671{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.667{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.664{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.661{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.658{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.655{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.652{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.651{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.134{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000844152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.133{8A63456F-2424-6387-9602-000000009802}47845492C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017DF2190) 10341000x8000000000000000393745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.587{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.581{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.572{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.565{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.539{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.525{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.518{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.509{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.499{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.491{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.481{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:03.478{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 23542300x8000000000000000393764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:04.644{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694B20E3CC10D2AD00264F0FCF28FD7E,SHA256=21325AD81A1734B3351DBDBD051A96A6A83435FB09A9DDC53B03DDF9EA5370C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:04.905{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017511A405FEB5F011CEAB1AC174FC62,SHA256=43AFD4B761E3E47E50710F03E82C0803FDF5C61CCBFD2696C1D4E850920F0950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:05.722{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B19B47D0D5EFA68F6CA54DB4EF82AC,SHA256=F486D8801F6520C81928206BDF65019A6FDB6CA313620176C502088439174B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.997{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7A6883424B62DEB140ED7424C68298B,SHA256=605AAD67603AC5D8016A3C96B648A20B802A2CCC7723729A9C981567294147A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.984{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6BC58D4B1AF84DF3FA137E04974EB2F,SHA256=ABB7D8B79E60F590F128E346F8B55E4E5F3A67F143E7C966C0617DA603545DA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.943{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.943{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.943{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.941{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.941{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.941{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.938{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.938{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.938{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.937{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.937{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.934{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.934{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 354300x8000000000000000844179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:03.574{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54124-false10.0.1.12-8000- 10341000x8000000000000000844178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.097{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2440-6387-A402-000000009802}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.097{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.097{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.097{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.097{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.097{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2440-6387-A402-000000009802}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.097{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2440-6387-A402-000000009802}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:04.942{8A63456F-2440-6387-A402-000000009802}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:06.789{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D062A859D80D26EA2ADCA20E6F90D5C1,SHA256=5EAE7BF07274BD7CCA73E8C23198ACAB44F3C4046F813B35943D11AA0779969C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.956{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=75A594DE15D4332A3B18F6447BD7CDFE,SHA256=F9E63DC66C2D9D96128C954CB5649DE245BEE3749149CC4698014074BE43F1C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.836{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2442-6387-A602-000000009802}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.836{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.836{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.836{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.836{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.836{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2442-6387-A602-000000009802}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.836{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2442-6387-A602-000000009802}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.680{8A63456F-2442-6387-A602-000000009802}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000844204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.367{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0500-000000009802}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.367{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0500-000000009802}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.008{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2441-6387-A502-000000009802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.006{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.006{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.005{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2441-6387-A502-000000009802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.005{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.005{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:06.005{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2441-6387-A502-000000009802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.816{8A63456F-2441-6387-A502-000000009802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:07.867{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24E771BEF95403FE91002A3F2EB8A21,SHA256=6DBC0B3976870F7683AE3BCDDD22FA4D2CF63C15F84138C4C24326EFCD08C94A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.835{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54125-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000844217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:05.835{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54125-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 23542300x8000000000000000844216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:07.373{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F6B2A762CD294A78BB83DF0A257E06E8,SHA256=4658D64BCC5FAFB972ECC783F2007847F5D7D9A7D35ECBE10DADD71EEEABAE88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:07.093{8A63456F-2442-6387-A602-000000009802}59885992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000844214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:07.092{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369EAFE3BDCE401991AB5EB43C0A24C1,SHA256=CC55B96B3A19540FA5551CA39173BDA20C2DD813356B767EEB91A45E098B6A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:08.952{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AA4C8D049AAAA7AE3CAC21DDF9E100,SHA256=FAB256E45A3BE45B96249E67BAA5D6AA16EB5C91DEB373E6913E3C164E28ECE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:04.852{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50502-false10.0.1.12-8000- 10341000x8000000000000000844228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:08.803{8A63456F-2444-6387-A702-000000009802}60406044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:08.553{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2444-6387-A702-000000009802}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:08.537{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2444-6387-A702-000000009802}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:08.537{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2444-6387-A702-000000009802}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:08.413{8A63456F-2444-6387-A702-000000009802}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000844219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:08.068{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54DF1C94D08A043F63C7FF4AD4C6E52E,SHA256=4BF1C13256DF09171643CD99CBEA15046A611597876CD6B56E28705E68B6701C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.750{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2445-6387-A902-000000009802}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.750{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.750{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.750{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.750{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.750{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2445-6387-A902-000000009802}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.750{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2445-6387-A902-000000009802}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.563{8A63456F-2445-6387-A902-000000009802}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000844238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.277{8A63456F-2445-6387-A802-000000009802}60726076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000844237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.158{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A28C4B48B1755133849960314CA2778,SHA256=A88FFFE762B859BDB596A29F0CAC042EDCB8A1008D7D3BAAC57C3092AE6C447E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.034{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2445-6387-A802-000000009802}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.031{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.031{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.031{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.030{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.030{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2445-6387-A802-000000009802}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.030{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2445-6387-A802-000000009802}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:09.030{8A63456F-2445-6387-A802-000000009802}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:10.045{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54EB6B65F831B7458A8AF52B738B6A95,SHA256=472F45E517A4A90B2270BC9341D19BB6822AA13D6EE69A25C7607C6B2EFC02FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:08.688{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54126-false10.0.1.12-8000- 23542300x8000000000000000844251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:10.301{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC95F85D3CAB718670CA96D3322AF4B,SHA256=05C9103C0930CB5D35DEE4CA91860B2C0D1440A0561635080F4A755D5EDA895B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:10.121{8A63456F-2445-6387-A902-000000009802}61166120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:10.030{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2445-6387-A902-000000009802}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:10.030{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2445-6387-A902-000000009802}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:10.030{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2445-6387-A902-000000009802}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000844253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:11.380{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421714B2C07E844D52A3186DF5F3EBCB,SHA256=DA31C1AD784FAF02338B9982D4ABD1A7B384AA591A4BF37A5BEF21461371C3D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:11.131{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E177B3F36003E6EA7F2BAB2ED59054A0,SHA256=1946FC2B5DEA0697EBEBB4D2D2B1137441F2CDF0605E14A14BA91A1F72B6BA57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:12.924{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BB3986618FCA1C8ED5C102B9E5E39FD,SHA256=F4B164C776294C0913448E6EB8B22CEFD4BA6460E93499CAFB7F0824F711FFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:12.496{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A2B08737D27720C4A0CEA2C01F526B,SHA256=3BA541454279A87ED1EEE99C3C1297F6EC14E1CBD74D212E0C6D330B082DFFA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:12.203{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886005982491BD276807B80DDA6ED261,SHA256=310C5C79C63A03FF7ACFDAF6FFA96330B7CEACC332719928F00F0963AE4CEEF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:12.037{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2447-6387-AA02-000000009802}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:12.037{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:12.037{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:12.037{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:12.037{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:12.037{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2447-6387-AA02-000000009802}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:12.037{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2447-6387-AA02-000000009802}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:11.855{8A63456F-2447-6387-AA02-000000009802}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000844264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:13.641{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B9DC29CD9BD2660062ACA9005F7512,SHA256=1838A83BA75353473E810A5620691BFE1E6382564684479CCB34B741F5747728,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:10.800{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50503-false10.0.1.12-8000- 23542300x8000000000000000393773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:13.280{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7C6279C4EBD108B8DC32AF2BAC8A98,SHA256=4DCFCE5DDEA996506EE7DE0FCB7269242BD6B7EC5BC4C62B694EF053C3332EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:14.738{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3CB4780131949AC093798B533A91F4,SHA256=C652045A9DDE8F307A069FD85843606CCA0CE5F6E6C5526E460DE2E7600BA6A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:14.364{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18EA770C06D719C0F3B9AD2593AF343,SHA256=9FB9409539C6C58FAE7AC488CD2C717AF4B33CCA5C882BE35DBFA89BCDBCDE9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:15.827{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4869EF662B766E97C732EB2D308758AD,SHA256=AA43539A941AC5047DA6A26A0D275607D824A7F25AC2523584894C074543CCB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:15.446{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01DAE60AF26D7E2F7A35C8A72757BB8,SHA256=57A4995EDE89672A0EEAB9FEA373B99C24BC3CE372D5C5FDA7A4D20E4ED8B6AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:14.678{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54127-false10.0.1.12-8000- 23542300x8000000000000000393777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:16.528{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19220F554F285A8670FBF4B7DC44DA6D,SHA256=D4CA2B075073FA22091FDC88C48B28E660879CB08A7B68710806260FD6BBAACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:17.614{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC32C3DB2CF8637C62BAAB4C1208C3EC,SHA256=BC358DD002CB5C78D2459513C96398CA94D1DCC68488111AAB7960A3CB573606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:17.015{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C792EB174AB04692D6575DD323BBFAB0,SHA256=5148ABB5A46359E5E6F347734B9CE746ADE93A85D44457B4AFD055BB7CCA0F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:18.729{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F9290FD7F052BE6F303E1B64527861,SHA256=5793C9350C29B2EBE410BB8AD9564D7FD91701E5BEE4E560F43BB33DBD40D6B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:18.648{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-065MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:18.000{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98529FC875B28F887F6F6D13B7E3A21A,SHA256=3ECD868AB52D16A80D219C5549244EDA9593D7FC3B6EF5A45C3581130DF05A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:19.704{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A67979C379BC5EF2AEDF3FC44FFAD4,SHA256=1CBD3B3ABE18D3B8338739ABA6D2233162E42561BC6FD808E0DE302A4DA540E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:19.080{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1182932684A0B32FE2F6E3F8FA9A1914,SHA256=5B71B0E2F01A775502F2F46F7568D3FA605ED015EC9E1E29D53CC006AA40F8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:19.654{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:20.786{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E059EED676E7861EEBDD2A88034866,SHA256=3D862D3BA7CBC9A8BBCC691618354F28FBAB830CE6099ABB2E994500C88F84D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.666{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.662{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.655{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.652{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.644{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.640{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.638{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.630{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.619{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.615{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.611{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.608{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.558{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.551{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.528{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.517{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.504{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.488{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.475{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.462{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.454{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.441{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.430{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.385{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.382{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 23542300x8000000000000000844276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.158{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF20D0242BD4FD0F161558B8B100224,SHA256=D9A61937C0437DC416A950A3C22BE7734E30DC71853EE76B39C0775B9046041C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.123{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.123{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.119{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.119{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 354300x8000000000000000393783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:16.822{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50504-false10.0.1.12-8000- 354300x8000000000000000844271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:18.151{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local62636- 23542300x8000000000000000393786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:21.861{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E5502DE2720D77D1C33E985B1149B1,SHA256=6BE8C29B7E81DA5E74760007E892DCEFE5749E85299D4F4A04E97388A9B9E6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:21.310{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FAFA6FDFEDD228094D30D3CC2582E93,SHA256=FA3C4421EA9AB1B6837091B37010BDCC0EDCB97FE9F894248E80358396673CCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:21.176{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 23542300x8000000000000000393785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:21.782{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CDA724DCE1382EC64AAE591E82E36174,SHA256=BFCF496EB03D00D1B1452421AEBC9CEF59CB2A949579EB76C52D6F15040EEA35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:18.173{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54128-false8.240.198.254-80http 23542300x8000000000000000393787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:22.940{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E9BC7BAD58C7B25793172FA6FEC0E7,SHA256=BB837BDF182E1844C4A3E80D1DF03E18325864F1331D272B3D987F8DC0FF97A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:22.259{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A310C49EAE2BC14F2E41D3B6469EDF4,SHA256=5FF93B8721F9164FE4E34B949A5BD06625FE0B1C85648F5DBBB0C1E57021BD68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.864{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.829{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.827{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.794{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.786{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.773{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.767{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.764{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.760{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.756{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.752{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.749{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.747{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.744{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.743{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 23542300x8000000000000000844310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.328{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE512A8564C03DB0ED671D63EC80EE0,SHA256=9A3DEA2BCD73A737B73611D792503D1F9EB6407C253DAF13CFC9AAB98C48A4F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.682{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.679{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.674{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.672{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.671{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.668{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.667{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.664{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.662{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.658{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.656{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.651{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.648{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.639{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.632{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.630{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.615{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.609{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.601{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.593{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.585{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.548{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.528{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.520{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.505{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.497{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.489{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.478{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000393788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:23.473{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000844309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.224{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000844308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:23.222{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 354300x8000000000000000844307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.472{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54129-false10.0.1.12-8000- 354300x8000000000000000844306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:20.401{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local58131- 23542300x8000000000000000393817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:24.278{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDE250CA356630CAF1F409AF2410947,SHA256=A98DF7C5754F843DBAF2EA5BD9FC1293C4C607155C941008874E0000866D4C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:24.480{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7F0E17F2853AF222E1FBEC5761AEFF8F,SHA256=530BCD19F28B560AC651076860D41940ED1842E283DA508FACA9B6A1900D0326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:24.449{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D870B81F9E495092D50155383B6AD5B5,SHA256=E8BC61B66F4774774F82ABD63C7604D6926399D8ADC05249AFFEDEE54AC2C4CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:24.371{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:24.355{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:24.355{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:24.355{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:24.077{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000844326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:24.077{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000844414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.798{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C157F4DF470E920E61053470B863290,SHA256=4FB3B9C136DDCACA5564C187DD07FB83DAE442C1EAD966C0935CFE47EB312ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.783{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397A8F6A8E7F5B42277600699DEB59FE,SHA256=C76B7835CA1F9829CA836DC507B57CDE472AD1984A2741D16877CA755318CA5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:25.416{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC4CE374127BB4AEEEFDE15A827D583,SHA256=D37668475E1E46A8501E79A4BB0518D351BF227AD953E6A3B3917C2838E4B21A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:22.828{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50505-false10.0.1.12-8000- 10341000x8000000000000000844412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.309{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.309{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.309{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.305{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.305{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.305{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.303{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AB02-000000009802}5356C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.303{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AB02-000000009802}5356C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.303{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AB02-000000009802}5356C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.298{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.298{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.297{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.296{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.296{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.296{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.293{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.293{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.293{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.293{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AB02-000000009802}5356C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.293{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AB02-000000009802}5356C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.293{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AB02-000000009802}5356C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.293{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.292{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.289{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.289{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.286{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.286{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.286{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.286{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.284{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.284{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.258{8A63456F-1471-6387-1600-000000009802}12801568C:\Windows\system32\svchost.exe{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.258{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.251{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.251{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.251{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.251{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.249{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.249{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.242{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.241{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.240{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.240{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.239{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.239{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.239{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.239{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.239{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.235{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.235{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.234{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.234{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.232{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.232{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.231{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.231{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.231{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.231{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.228{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.228{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.213{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.148{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.136{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.136{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.132{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.131{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.114{8A63456F-1471-6387-1600-000000009802}12801568C:\Windows\system32\svchost.exe{8A63456F-2455-6387-AB02-000000009802}5356C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.114{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2455-6387-AB02-000000009802}5356C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.098{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2455-6387-AB02-000000009802}5356C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.082{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-2455-6387-AB02-000000009802}5356C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.082{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.082{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.082{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.082{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.082{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.082{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd52|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.088{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000844335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.082{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2455-6387-AB02-000000009802}5356C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:25.082{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2455-6387-AB02-000000009802}5356C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd52|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000844418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:26.844{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2013634A0453388418CE846C1BEC2F29,SHA256=1DD99746199DD9C2303933FCE30D9CA12F09067596EA3610E81A9778D6074C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:26.405{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B9F452728F4E7BD316D0077A742B9F,SHA256=2CF3CF84EF0810077782DE90BF47873A6E78C740B72AF83D64D19C6EE06E9F69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:26.641{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:26.641{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000844415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:26.237{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=617EED6F607A3AFCD6103F2382076ECA,SHA256=92908051A2B6E3C997BFEAFE0E549CB9656059CB5F834D00FE74017179AFF183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:27.923{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F850E7797D99787FB2319F41548D5C,SHA256=22483008923E30486103493C3D09EEA560E4155F256913E85ACF4CBF7D469B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:27.502{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10DAA4F6185F1007709044DB574B6AED,SHA256=937FD6A5DB43D461078C2C8C3BCF1F3434AFEDE4BBF4B39BDED647520D27C3F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:27.089{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000844423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:27.089{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000844422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:27.089{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AC02-000000009802}5364C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000844421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:27.087{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AB02-000000009802}5356C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000844420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:27.087{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AB02-000000009802}5356C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000844419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:27.087{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2455-6387-AB02-000000009802}5356C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 23542300x8000000000000000393822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:28.570{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0C5C415EE7CFF55A445751E7C67E88,SHA256=0CD9B3DCAD8F14BBB8E5B8FD47D1164E6B3A7BD734ECCDA03C01F077B2365AE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:26.485{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54130-false10.0.1.12-8000- 23542300x8000000000000000393823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:29.640{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73DDC749B5DD480A77A899D5BE92EF6,SHA256=0D537C8AE331ABDEA73FC083E4F2ACA88B28F6639F52C7B648814C4CDDC2B9FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:29.970{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-2459-6387-AD02-000000009802}5480C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:29.954{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:29.954{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:29.954{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:29.954{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:29.954{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2459-6387-AD02-000000009802}5480C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:29.954{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2459-6387-AD02-000000009802}5480C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+4158d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:29.959{8A63456F-2459-6387-AD02-000000009802}5480C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000844427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:29.028{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419603B75B30FF1D51D1186048FB5A36,SHA256=F453027BF9551940F4B5F453950C458836F312FB8AD92D19E8E03E42A44A198B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:30.721{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF52F1B3ED62FE50326C22B0FF111B37,SHA256=67FBEF89E849FA95AA17955784BA8C60A269F7155CA077D06E3D70E5B343E819,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:30.351{8A63456F-1471-6387-1600-000000009802}12801568C:\Windows\system32\svchost.exe{8A63456F-2459-6387-AD02-000000009802}5480C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:30.351{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2459-6387-AD02-000000009802}5480C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000844436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:30.135{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A942EC5BC990372C98A90EA6D2946C8,SHA256=4BFA804D45B44A3D2D18EE850CCA7F73511ABD769195DFB8C78B486B86796F46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:27.847{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50506-false10.0.1.12-8000- 23542300x8000000000000000393826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:31.785{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE50879BA45FE80A97F7B2BD138AD44,SHA256=C9BFB0B6838AAA865F5756E7F71E19CAE373C50237A1D2596673B6F6D676665F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:31.220{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E9FC6A7E9873F11D57443968AFB453,SHA256=3B36A248C023D7E1BD9903C0270152399686A5581ADB60075CE45500CD2EFF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:32.865{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8F0F032B7E56D3B80E2E75E0D02AE1,SHA256=C720184ABFF1AF2AB13E1630BC07705A11A3CCE94905CB7E5ADEA52BD907E74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:32.316{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2522CC1BBD87E04821E80547F5EF5DB2,SHA256=C1C6D37908DF4F744C93148656BB2A7C67FE5F4A041E98FB0EAC713668EFB85C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:33.954{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFD9729F640D21C35DFD4611CF0B5A9,SHA256=E03D669C149B102BF513611A666B554114D0CA24D2EA26F54DD8280C66B024FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:33.971{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:33.971{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:33.971{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:33.971{8A63456F-2418-6387-9102-000000009802}21203140C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+6d1bf|C:\Windows\System32\SHELL32.dll+e7e5e|C:\Windows\System32\SHELL32.dll+1834dc|C:\Windows\System32\SHELL32.dll+198348|C:\Windows\System32\SHELL32.dll+2847f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+183780|C:\Windows\System32\SHELL32.dll+180b5e|C:\Windows\System32\SHELL32.dll+60781|C:\Windows\System32\SHELL32.dll+63666|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 10341000x8000000000000000844446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:33.971{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:33.971{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:33.878{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe8.45Notepad++Notepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=160E49FA853DB78E6148E9DC566D96D1,SHA256=5D7C97C8C0FC601CD232BFEE97F51DF83C0DC6519AE42ECF0D765E69EB56E1C3,IMPHASH=106BC08A539BA691222AAF2F52A2FC20{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000844443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:33.402{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE4761DAA53014C4C45A1C77541C913,SHA256=BD270FFB1E7629C56124F71FD4591D00E32FA93727FC68B480F9BD4FC068A3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:33.356{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-065MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:31.515{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54131-false10.0.1.12-8000- 10341000x8000000000000000844520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.989{8A63456F-2418-6387-9102-000000009802}21204216C:\Windows\Explorer.EXE{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.989{8A63456F-2418-6387-9102-000000009802}21204216C:\Windows\Explorer.EXE{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.989{8A63456F-2418-6387-9102-000000009802}21204216C:\Windows\Explorer.EXE{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.980{8A63456F-2418-6387-9102-000000009802}21203260C:\Windows\Explorer.EXE{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.980{8A63456F-2418-6387-9102-000000009802}21203260C:\Windows\Explorer.EXE{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.979{8A63456F-2418-6387-9102-000000009802}21203260C:\Windows\Explorer.EXE{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.979{8A63456F-2418-6387-9102-000000009802}21203260C:\Windows\Explorer.EXE{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.974{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.972{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.967{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e30c0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.967{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ba330|C:\Windows\System32\SHELL32.dll+e307c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.967{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3050|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.967{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.935{8A63456F-1471-6387-1600-000000009802}12801568C:\Windows\system32\svchost.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.935{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000844505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.903{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC7F5D04E05A06EA482CB1731C4DAA52,SHA256=C3143F86F68834833FA5DF570C6ECC073CB5DF215F473F9FEA5151388E5974B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.713{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.713{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.713{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e30c0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.713{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ba330|C:\Windows\System32\SHELL32.dll+e307c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.713{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3050|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.713{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.624{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.622{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.622{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.545{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.545{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.501{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.418{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.418{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.418{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.414{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.413{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.413{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.411{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.411{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.410{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.406{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.406{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.406{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.406{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.405{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.405{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000844477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.402{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34133C7E90CC71E39E98B26EAB38179,SHA256=5C6AD69C943BEF0082B6CFDD3D497E260400A01995AEAB3A14AC3958386EFE91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.393{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.393{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.393{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.393{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.390{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.389{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.389{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.387{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.387{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.386{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.386{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.380{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.380{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000844463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.356{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.313{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.313{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.313{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.313{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.309{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.305{8A63456F-245D-6387-AE02-000000009802}51685528C:\Program Files\Notepad++\notepad++.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a198f|C:\Windows\System32\windows.storage.dll+a1605|C:\Windows\System32\windows.storage.dll+a10f6|C:\Windows\System32\windows.storage.dll+a2568|C:\Windows\System32\windows.storage.dll+a0f1e|C:\Windows\System32\windows.storage.dll+a3abd|C:\Windows\System32\windows.storage.dll+a41fc|C:\Windows\System32\windows.storage.dll+a3560|C:\Windows\System32\SHELL32.dll+49e6f|C:\Windows\System32\SHELL32.dll+49cfc|C:\Windows\System32\SHELL32.dll+49a4c|C:\Windows\System32\SHELL32.dll+1148a7|C:\Windows\System32\SHELL32.dll+114805|C:\Windows\System32\SHELL32.dll+13eb9b|C:\Program Files\Notepad++\notepad++.exe+19eab5|C:\Program Files\Notepad++\notepad++.exe+34dd32|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.287{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\GUP.exe5.23WinGup for Notepad++WinGup for Notepad++Don HO don.h@free.frgup.exe"C:\Program Files\Notepad++\updater\gup.exe" -v8.45 -px64C:\Program Files\Notepad++\updater\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=82E2FE2F52EB8ED103872E13D62B4EBA,SHA256=09DCCF3B62BC0FD3DA34C399BCCE282ABFBD68AD000B0FADE51BE84109AC2ED0,IMPHASH=E701E8EF4E4DC8123B85C54C8532ABB5{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml" 10341000x8000000000000000844455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.263{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.263{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.249{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.216{8A63456F-1471-6387-1600-000000009802}12801568C:\Windows\system32\svchost.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:34.216{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000393830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:32.886{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50507-false10.0.1.12-8000- 23542300x8000000000000000393829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:35.045{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF56E2E64D3F2256F4B462AB566D72A,SHA256=D5B9576E9DD67A48A18222ADBA796282DBFDF5B40319F8FF82639A4E7976E428,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.904{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000844537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.904{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000844536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.904{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000844535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.902{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000844534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.902{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000844533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.902{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 23542300x8000000000000000844532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.380{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41784980B814A3104EE06ED962D8D583,SHA256=5002CF29324B1FF6C5BA85FFA0BE15116D27C4505389C78C25A02449C7E142D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.324{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.324{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.324{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.297{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.297{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.297{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.132{8A63456F-2418-6387-9102-000000009802}21203260C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.132{8A63456F-2418-6387-9102-000000009802}21203260C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.132{8A63456F-2418-6387-9102-000000009802}21203260C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.132{8A63456F-2418-6387-9102-000000009802}21203260C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000844521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:35.116{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F4A9F9D35145B7EC4979C5E26074F8,SHA256=711AD0E809D9F9FDEFECFD9A405AC3B714AD10A21C733D25918E5A16227AF89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:36.470{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09D8142BEFB7265F50B0447FDAEB33C,SHA256=97A5A5883CAA6388D7E4EF8475756BFEBD6A84D15AA55B475D1136F94DFD778D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:33.989{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54134-false172.67.213.166-443https 10341000x8000000000000000844546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:36.423{8A63456F-147F-6387-2600-000000009802}25962348C:\Windows\sysmon64.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:36.423{8A63456F-147F-6387-2600-000000009802}25962348C:\Windows\sysmon64.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000844544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:33.839{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-54133-false127.0.0.1-54132- 10341000x8000000000000000844543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:36.423{8A63456F-147F-6387-2600-000000009802}25962348C:\Windows\sysmon64.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:36.423{8A63456F-147F-6387-2600-000000009802}25962348C:\Windows\sysmon64.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000844541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:33.839{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-54133-false127.0.0.1-54132- 10341000x8000000000000000844540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:36.423{8A63456F-147F-6387-2600-000000009802}25962348C:\Windows\sysmon64.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:36.423{8A63456F-147F-6387-2600-000000009802}25962348C:\Windows\sysmon64.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:36.130{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477C783D9EC6832BD9F173B178ADDA03,SHA256=6319C5F5A976FE0946D473C0597AD5F0762C414E98810AB950ECFAF45E67708E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:37.576{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CAB9A16734FA27E7ECA2C749BBE928C,SHA256=E9D27AEB60F3F76CCC195D38C88DBF6FBF9777C778F251465BDDDA8D45E691CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:37.560{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8744FD4848684F8F8B0DA8726D50304D,SHA256=245E971F808008F5B69DC26E1ED99CC2E7E9DC488B9AABE2144EE6338D7A4428,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000844550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:33.971{8A63456F-245E-6387-AF02-000000009802}5632notepad-plus-plus.org0::ffff:172.67.213.166;::ffff:104.21.23.210;C:\Program Files\Notepad++\updater\gup.exe 10341000x8000000000000000844549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:37.467{8A63456F-147F-6387-2600-000000009802}25961700C:\Windows\sysmon64.exe{8A63456F-245E-6387-AF02-000000009802}5632C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:37.219{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D53407462E5D2E542CA61ACF1BA47F,SHA256=CAF9E94D3C0E44B79E5822A1E89A75545C336E9F4936C02201ADCA312585AFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:37.188{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E16B0D902C0792FE1326931C9C777D8F,SHA256=07FF392D4B973F5715E295B594E42EED2320ADF57EF8C052199ACFCEDDFFCB86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:38.554{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE658EF8EB0BA14D77D801A93EFD65C,SHA256=3262E1452A58A703BFD5A6DDC359828588E611ECEF770E5C2E7BCE9DB36E0DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:38.298{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42AFB4A4B5A7A7869345A4A6BCA80205,SHA256=3E012F24C0EC18127E8C06D29BC5D728BBF79972F1B8A6BFE1EF8CDB7E8D9486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:38.323{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4D6977CE2DAB74306AE6BF537C67A62C,SHA256=E8FA4E0CA9AE9A18B62BC35D6622D1E5CDE995CCE9C26300507250EFE8562F83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:38.022{8A63456F-2418-6387-9102-000000009802}21204216C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:38.022{8A63456F-2418-6387-9102-000000009802}21204216C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:38.022{8A63456F-2418-6387-9102-000000009802}21204216C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:38.022{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e30c0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:38.022{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ba330|C:\Windows\System32\SHELL32.dll+e307c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:38.022{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3050|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:38.022{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000844563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:39.638{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA747E3FDE1B0579CB28EE5C662D66C,SHA256=4D88EEA10F383DC6F2A3E99B19A225786D2C67F5265035F0F9F3258FCB9ED733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:39.360{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0F0C8270523F1C7C93A8940DB61AF6,SHA256=BD9C557BB7696AEE02001222562FE337C183672D9FEF93D8956B992483C0A7DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:36.610{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54135-false10.0.1.12-8000- 10341000x8000000000000000844589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.970{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.964{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.954{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.950{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.938{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.934{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.931{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.917{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.895{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.888{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.883{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.878{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.740{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.709{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000844575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.706{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980A5678A90A91E2F803C911462293C2,SHA256=E4405F07E8A6CF6377DA9F2515EFE6FB381F3A1547CBA5B649A6611566FE1D13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:37.933{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50508-false10.0.1.12-8000- 23542300x8000000000000000393836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:40.441{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F0E2196999D1A280AE169E37E943198,SHA256=83ADE0F63582B24D1DEB41E7522CA4E4DE8F074C392B0BA54D47633170E76943,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.635{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.617{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.608{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.584{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.552{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.519{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.498{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.468{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.449{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.392{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.390{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000844593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:41.852{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502D363AD2C48F8B9FDABC4C28DB0AFA,SHA256=A901AB339AC07B32986FFAA7CBF964C162145CDA0805F31562052D733C803D73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:41.527{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC255E43C2DEFE15100CA48BA08B03E8,SHA256=8DE689B2CD5CF38D40089FED2165E03B93FA7518C421AD9820852D731B20743D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:41.525{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:41.270{8A63456F-2417-6387-8502-000000009802}20564120C:\Windows\System32\RuntimeBroker.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000844590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:41.270{8A63456F-2417-6387-8502-000000009802}20564120C:\Windows\System32\RuntimeBroker.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+8aaab|C:\Windows\System32\combase.dll+8bde2|C:\Windows\System32\combase.dll+39aa3|C:\Windows\System32\combase.dll+8bfed|C:\Windows\System32\combase.dll+37eec|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000844595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:42.925{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7757F17AD9D08602EDFEF373214596C8,SHA256=55F7392C9FB87F4279288F909A9D86839505AFE22CCC832B3D09415B8851D22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:42.624{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A16E9F8D39A2060CCE0904D3B6DB806,SHA256=056CBBEF2F26F1FAF5793FAAD77137B2755623F36956952ABFEC5E28D7F14B0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:40.291{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54136-false72.21.91.29-80http 23542300x8000000000000000844602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:43.984{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A3292D11F35DBA3950173BD1FB37C1,SHA256=A5D600CF626A950ADB423B29FFAF25B3D9E3FE13B270DCCB795973A3CFA8AFAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.696{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3E81677C4339ACDF371CE3B1DCBF44,SHA256=447CBF8C41516868D6F2382AAA7528B3ABAE19299FF55DC0D9501534F39EBBA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.671{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.669{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.666{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.663{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.662{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.659{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.659{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.655{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.653{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.646{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.644{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.639{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.636{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.630{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000844601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:43.540{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:43.534{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:43.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:43.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:43.066{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:43.042{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.625{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.622{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.612{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.607{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.601{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.594{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.586{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.544{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.535{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.525{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.508{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.498{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.488{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.486{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.480{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 23542300x8000000000000000393870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:44.665{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60EDAE85B45B8D03E58C3203805E30A,SHA256=C332382ABDC9E1CFE1E402E470A6CC12DBBB2F7F2E803433CCA1DCDD129D66B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:41.625{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54137-false10.0.1.12-8000- 10341000x8000000000000000844618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.160{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.147{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.136{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.133{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.105{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.099{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.089{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.073{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.070{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.067{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.064{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.062{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.060{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.058{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.056{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:44.055{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000393871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:45.728{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EB18FAC4B69235954630F97E0BF0EC,SHA256=32B67E9F50141D4A0045C0AFA7C0D3C2D9C5E2B2451BD49A7AA5EF26C2B50612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:45.061{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D67B103C765BCC1664AF767A3D5983B,SHA256=94F8DE0219F6563FF06E6A2D5983448AB98D3B6D1A21EB0414314D82E62D4FEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:46.803{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=408836BB11ABCD97508482BE87A9675D,SHA256=CD080D91F2D1FB254462293037632572A1789EC6AEF7A7FA3D214ECB97DBEED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:46.158{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC70D1ABE4E073F070BD034005D46834,SHA256=CE2CC26196F2F647BFB083CFBB13C7E4AC62B21ACA29E69B0A321921FFCFF7FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:46.237{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:46.237{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:46.237{E56ECBBF-146E-6387-0B00-000000009902}6441464C:\Windows\system32\lsass.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:46.225{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:47.901{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B46928CA01AB2B073690C7C6C5B6806,SHA256=A57A7D7F1DAD59DCB00250306F64173B763755541491F8CD10177FDE8E20D50B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:47.248{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06BD70C7254A35DB2BC56A463C1365D9,SHA256=E78FB926BBC5BB25585E8DD8F7D763B332DDC41A4BFAE2229E6C42B63B59E831,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:43.806{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50509-false10.0.1.12-8000- 23542300x8000000000000000393879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:48.983{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A75C0538865E325B50F3F1EF34D773,SHA256=7308119320D40C3AB7205AF653F38FCBA86A6A1B9D83F82157D9A6535F362D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:48.335{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4CEC9135E18AC64E20DCFEB6FBDF13,SHA256=CC877FD903EB2F59B20DCF811CE99DD54069069AA603A8A6C4938D6C8AB9E28D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:47.655{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54138-false10.0.1.12-8000- 23542300x8000000000000000844624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:49.413{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BC544F532B5F216AE47F11530232B5,SHA256=4B570E01CA95A8774047B51FB5429265D18DDF6DBBD62DB169D8200D6530D249,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.951{E56ECBBF-246D-6387-7F02-000000009902}33562532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.798{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-246D-6387-7F02-000000009902}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.796{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.796{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.796{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.796{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.796{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.796{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.796{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.795{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.795{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.795{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-246D-6387-7F02-000000009902}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.795{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-246D-6387-7F02-000000009902}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.795{E56ECBBF-246D-6387-7F02-000000009902}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.732{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:50.491{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34F9E8E23E559510695B4A19A20CB54,SHA256=4B91954A070B0AC8C292D48FC04479BE0F241182D0FB0DE22CFFBA72142C0722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.934{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=85F5D553DDA23504B23517384763D8CA,SHA256=46F81E65C873BCE89A2A345B49242DB5D2D02B1DF2351EC7BED3491DFFCD09CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.819{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C732CE2CC6DCA3FF033D5AB539A6AAC,SHA256=6696318B7D7EABB1313E773402CD6C411D62F151749676AAB55117C00FC8A293,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.427{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-246E-6387-8002-000000009902}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.427{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.427{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.427{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.427{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.427{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.427{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.427{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.427{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.427{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.427{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-246E-6387-8002-000000009902}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.427{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-246E-6387-8002-000000009902}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.428{E56ECBBF-246E-6387-8002-000000009902}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:50.052{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A297610DCA9033BCF95BFC8BD86B6A57,SHA256=1539DFC40B0482505EB622A973A23D09B83D17E10864A1B25D7D851716CB82A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:51.589{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94AE81062354D649268395495B550853,SHA256=496898D8619AFF9F65739DE279607697A253BF1090A1B3AFFD0A902142B5351F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:51.946{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2325C492FC5F58B888C71E280D6DB285,SHA256=367157513D8B9E5149100E035B4C5ED1EC0B359B0067C480335FC875BF462ACF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:51.209{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-246F-6387-8102-000000009902}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:51.209{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:51.209{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:51.209{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:51.209{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:51.209{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:51.209{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:51.209{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:51.209{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:51.209{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:51.209{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-246F-6387-8102-000000009902}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:51.209{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-246F-6387-8102-000000009902}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:51.210{E56ECBBF-246F-6387-8102-000000009902}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:51.131{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D7074909A0089D61BA7E64A83D9879,SHA256=53714D248EF7BA893153A1A17B0C9D4618897B73C0A8EC4F496678EEC2AF4E2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:52.929{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:52.679{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD5D760036FDFF02291E67BFB73C2F6,SHA256=97BD0905FBAE072F48DC367F2EA0E8F0E9DB5B91A0B8EC259F02D72DCA2BEF3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:49.008{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50511-false10.0.1.12-8000- 354300x8000000000000000393927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:48.469{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50510-false10.0.1.12-8089- 23542300x8000000000000000393926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:52.219{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2AEB42CB66CE8E5C5DF0DBA61B6775,SHA256=44D2FD6A86B02F3673651935443481483E226232886786B8E96714BBA663C46B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:53.761{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E08F0A5DE4BF5A86D257359B191840,SHA256=9EA0BC742F4665FBB7D33CA9462B8239D7206883254933F16C5CE272F20D90D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.869{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2471-6387-8202-000000009902}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.867{E56ECBBF-2471-6387-8202-000000009902}31883628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.708{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2471-6387-8202-000000009902}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.708{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.708{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.708{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.708{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.708{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.708{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.708{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.708{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.708{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2471-6387-8202-000000009902}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.708{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.708{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2471-6387-8202-000000009902}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.709{E56ECBBF-2471-6387-8202-000000009902}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:53.302{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD8B8D4EF3ACB36E29947C90214D738,SHA256=50CDC21B9674BE44AD295212802497E4DF352030C900C017B77DF6BBEFD5C682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:54.850{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63ADD6EF2DA9765AAE3AE192DEAC22A4,SHA256=2A5D8C7B62CB4A46D9A736ADEFEB0A1EFF9599532E3E6E90C9733B3C744D7D9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.573{E56ECBBF-2472-6387-8302-000000009902}19003060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.385{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27203847CA752C419832BED8C07E3B64,SHA256=756A7AB82D0ACE3121C9B9498E32B1A363167812B29D97419216415482F74D18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.385{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2472-6387-8302-000000009902}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.385{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-2472-6387-8302-000000009902}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.385{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2472-6387-8302-000000009902}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.386{E56ECBBF-2472-6387-8302-000000009902}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000844631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:52.375{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54139-false10.0.1.12-8089- 23542300x8000000000000000844634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:55.929{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD35D5502623EC44919392D48F1F487,SHA256=CC65695A2710271D6147E70C793F15B127E478C936D0544F291E11D644EF13FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.975{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2473-6387-8502-000000009902}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.975{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2473-6387-8502-000000009902}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.975{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2473-6387-8502-000000009902}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.854{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2473-6387-8502-000000009902}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.854{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.854{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.854{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.854{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.854{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.854{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.854{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.854{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.854{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.854{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-2473-6387-8502-000000009902}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.854{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2473-6387-8502-000000009902}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.856{E56ECBBF-2473-6387-8502-000000009902}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.854{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016E99425B133EB571363F5D76425C8C,SHA256=30E8B6C7F63BAF5384B339CDEB02C4090E7FFCD3F275C335C21E0D116F7CAF25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:53.572{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54140-false10.0.1.12-8000- 10341000x8000000000000000393973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.221{E56ECBBF-2473-6387-8402-000000009902}1008376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.064{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2473-6387-8402-000000009902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.064{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.064{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.064{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.064{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.064{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.064{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.064{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.064{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.064{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.064{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-2473-6387-8402-000000009902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.064{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2473-6387-8402-000000009902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:55.065{E56ECBBF-2473-6387-8402-000000009902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:56.891{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855AF4C13F6E9A3345BF79E3BF9CE09E,SHA256=7105EDAD8F5E4C774A098630CAE7CB75B2819B589684545A280AB01996E11C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:56.239{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6543E2B818A94FE6CD8331872C8DED1,SHA256=13C862AEFABE3C7640CCF8E93A11C88F1B63DBCD098372472BEABF41A94FE7ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:57.992{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08874A3C01366A501A33DEB537B1F0C5,SHA256=1900F91CA3FB925C2CD54CCA1C7E0E8A37991C842B943DC4256C0B6A1E924207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:57.038{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010B21656B37DCB3ECD7119232CACD9D,SHA256=FB38008304660DED75C65FF21398375E0BCFB72E24A70D4B037CEC08D667CC4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:58.146{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=782343186A5F9776499A92235A16ED2B,SHA256=F5E08A3DA5FFDD04A5B843E1629AE63592EBB7E4D1E8E727F58B506B8D8BBABA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:54.992{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50512-false10.0.1.12-8000- 23542300x8000000000000000844637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:59.252{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EE4926FA8645A909E7602B598886DA,SHA256=807007FC3C6F42C6E2B3CDBE9C0B6BDB34C94967DB7793D983697037CAB82DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:37:59.070{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDFBA4886348E0E1B0592327C17D9D4,SHA256=0825E48C3DBDBE7316F852CD421224319309E5B5E0F2CDB959241F63579CB159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:00.170{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A467A1590CC98AEE42E2C3DCBF996873,SHA256=A3873D868017C6186F2FE63B1E43E74E8BDE215FDB661161E3E70957722572A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.694{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.689{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.680{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.674{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.663{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.659{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.658{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.649{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.640{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.636{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.633{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.629{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.573{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.562{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.528{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.518{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.509{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.496{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.486{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.472{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.462{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.450{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.438{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.386{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.382{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000844638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:00.364{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6DE27446E8D485CA18DC9EED5DFDAE,SHA256=751146C146E88EE78E979657E1C23875D26CB27F608F305DC7D5D749219834C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:01.244{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A583D62C65BDF12307F36E33B48C9A,SHA256=52754C29B42D6A9894F18401A83ADF62BA348FE4FF8597FB871A72741E192BA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:37:59.554{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54141-false10.0.1.12-8000- 23542300x8000000000000000844665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:01.393{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C298C28BFB8743A5D9A06A4EA1DDB8A8,SHA256=95FE8E9CF92C1D5D52B898B8DC441E6B342C6F665C3EA3A634B65AA0F54A583B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:01.195{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000393998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:02.307{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3463083D3025AA8C26B8FACC14A08749,SHA256=4400C67706D07EFEA18DCA999640178BA53BCE29668DFBCAC6131804753C4A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:02.495{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D0B235446D0B70DC5CFBCBE3C374D6,SHA256=C73CAA512738816A3DB6F515B6717FF173E37852B83597A6C70D03E283021803,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.669{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.660{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.658{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.656{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.655{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.653{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.652{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.650{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.648{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.645{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.643{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.639{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.637{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.630{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.624{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.622{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.606{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.597{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.588{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.579{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.571{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.545{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.538{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.525{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.518{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.511{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.499{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.489{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.486{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 23542300x8000000000000000393999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:03.396{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4EFCD548D176E27A62C502E8092F58,SHA256=3DBB6ACCE7A81D677FB812D2696C1A00CF89FB19BA88B04897CE226B4A760F24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.985{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.970{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.960{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.958{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.885{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.865{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.833{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.817{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.805{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.800{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.789{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.777{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.768{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.759{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.753{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.751{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000844670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.556{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823B6495E63F880D10A2315ECF677B71,SHA256=59525BC023E09FC9918B8C833E22294B78E44BCAA2DF145AD7B70173E8116586,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.241{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:03.240{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000394030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:04.948{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97ABED9B861DEB46504FA4B9BCFBF306,SHA256=6696582E397DBF3DA1D0D63659EE1539D36BF3384573A737CBD60D4691BFDB28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:00.754{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50513-false10.0.1.12-8000- 10341000x8000000000000000844695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:04.881{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-247C-6387-B002-000000009802}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:04.881{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:04.881{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:04.881{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:04.881{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:04.881{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-247C-6387-B002-000000009802}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:04.881{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-247C-6387-B002-000000009802}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:04.883{8A63456F-247C-6387-B002-000000009802}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000844687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:04.615{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB30174C9E7D40B3E7F68CE39DDB0ED0,SHA256=11E66EE942FAC78A807DA0BF5E8A37FC5CA450EF330FD9A22868FAB40C2D1863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:05.580{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6696728CF59A3D08EADEAB6D6BC0D97,SHA256=42165C82AB41F2AC8B51CD700196A9A09BE7B62AE9AD0B8457650F23F0113E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:05.937{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=526B06A510B1E2C5BAFA12C910BC18A5,SHA256=F7248FE192B9FAB0B092775FE0BDF638C5DDC9403AB47366CAFFB8F41EF7BDC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:05.687{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3091BE6B2EB885C40219C007919FD3C6,SHA256=985FB773F28AE00FABF71EFA152D22EE01D8428653B15238975BE063D30CC46B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:05.484{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-247D-6387-B102-000000009802}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:05.484{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:05.484{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:05.484{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:05.484{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:05.484{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-247D-6387-B102-000000009802}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:05.484{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-247D-6387-B102-000000009802}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:05.485{8A63456F-247D-6387-B102-000000009802}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000844697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:05.328{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A84DD85D69C0598E95270949E8EF8322,SHA256=E2B61D6B672A25397C93A408EF61DBD6C17231AE608FCEA8F699162DDDE26604,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:05.029{8A63456F-247C-6387-B002-000000009802}57205728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000394032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:06.664{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE196BDE32BD6F745D6BDDF4A567D413,SHA256=22F14B8CE0AF8CD9C879E243D49885000B3C6A8256299D4E0F165B485219B317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:06.817{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D0975F3D144C994197F3347A80F19C92,SHA256=FF56D93F2CEC88A1ADA9BDA5534384BB8EB795C82B6D16B41A68BCDE851FE0E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:06.770{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BD09A9BFD3F50C64F2E2EE5D8453C6,SHA256=6E3505D6CFAAEA0BD8FC86F40EAFF0423AFFEB254C415B16BCD46E436F0CE3AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:06.001{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-247E-6387-B202-000000009802}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:06.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:06.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:06.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:06.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:06.001{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-247E-6387-B202-000000009802}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:06.001{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-247E-6387-B202-000000009802}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:06.001{8A63456F-247E-6387-B202-000000009802}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:07.769{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=426C11D6EF9DA981022D833488A76AE4,SHA256=D85FBC38782958DEDA87B90D8026FA969A0407D0B0F56383A2F328DACDAD02A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:05.840{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54143-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000844720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:05.840{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54143-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000844719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:05.577{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54142-false10.0.1.12-8000- 23542300x8000000000000000844718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:07.853{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA20896BA847269268AC8B68391D25FE,SHA256=2A84A4BC5ACAAE7A8E54317FCD0908EC0A73DBE463A053C6527E3635E57551E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:08.855{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0CE011F4F0CD9AFA6A41ABA482E258,SHA256=5BFDB0C66C9F7C909BDDF841ECEA2272A5FDD4F03F29A8B29BF2ADAB91930514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:08.951{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E106222B6110D8AF73B9B3E61DDBCA8E,SHA256=3CECB63FD8A70961115EDBE58F7CEA277E246ECA5B424C2AF270626C47D63981,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:05.956{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50514-false10.0.1.12-8000- 10341000x8000000000000000844730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:08.623{8A63456F-2480-6387-B302-000000009802}57725812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:08.420{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2480-6387-B302-000000009802}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:08.420{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:08.420{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:08.420{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:08.420{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:08.420{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2480-6387-B302-000000009802}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:08.420{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2480-6387-B302-000000009802}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:08.421{8A63456F-2480-6387-B302-000000009802}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:09.938{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BDCCDB7EFA07A9989A83588B347058,SHA256=C299FC744F81492CA27D334CC1E0E4AA6FFCD307393E255CA227AB1203623D9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.764{8A63456F-2481-6387-B502-000000009802}28681988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.545{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2481-6387-B502-000000009802}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.545{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.545{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.545{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.545{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.545{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2481-6387-B502-000000009802}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.545{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2481-6387-B502-000000009802}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.546{8A63456F-2481-6387-B502-000000009802}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000844740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.313{8A63456F-2481-6387-B402-000000009802}51085836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.052{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2481-6387-B402-000000009802}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.052{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2481-6387-B402-000000009802}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.052{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2481-6387-B402-000000009802}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:09.054{8A63456F-2481-6387-B402-000000009802}5108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000844750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:10.052{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6FBA4B7BCA1D6DF1FF98138A17F33D,SHA256=D1ADD8B0D2DC5917986124130B61156FF2A77812ED9615CF80369491DEE8F337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:11.028{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A262956FAECE85AD5E607E317149B7,SHA256=C962CB19085008AB51EFEAC3E6AB10DAA45CFC82AE4AF6DD0B0791C4D3F4B9BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:11.868{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2483-6387-B602-000000009802}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:11.868{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2483-6387-B602-000000009802}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:11.868{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2483-6387-B602-000000009802}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:11.869{8A63456F-2483-6387-B602-000000009802}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000844751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:11.137{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE4D13D316A3F9A0E73F63B09EB498F,SHA256=A55BA31ACEDE1EC33844D9CFC895FE011143DBB9292615F1FA78BFA36DF20D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:12.110{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD4D6F4E3DD9915B535BDCE0D779C04,SHA256=04C752E263B3D371770E292B73BBED61500C4BF6A36CC9B468C26F526003579E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:12.925{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEF503547BA3BFCFFA8EBE05772E4D7F,SHA256=DC1A2E311667ECF5E2A9D1B1F4A48D504177183B334DAE10C2F0C6E23FA60C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:12.188{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593E79C9353F3AD82C54FF1E39584C3E,SHA256=C1374929ED434E94C46B27530054C7F793257197AE3706FD4B691F7937B7A420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:13.199{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22ADA17E0084DADA354150DFBF5E480,SHA256=D2C57F1BD201922FD41BC913028A67049ED98ADF8B9E2A3B4EA2B9FFC58E8CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:13.247{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3CB50F1B8D3FA3D151DC58DA284EBA,SHA256=165299D4AD8573318EC2DE737A7D987F760B1429D2A09684601DEFD048F6DE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:14.338{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35454051A2B61E459481CB1F4AD33A3B,SHA256=8A820CEE50D10666AFF30084193ADD6D6283CC7F76937BB22A75DC7288A4182F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:11.873{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50515-false10.0.1.12-8000- 23542300x8000000000000000394040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:14.282{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE095E5B9B734B8C634588842F24D931,SHA256=F1C82B4E1A3AA1A837B90D96A68FAA3C180B7B73A9250CDE1347798FD73E68A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:11.539{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54144-false10.0.1.12-8000- 23542300x8000000000000000844765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:15.424{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009CBC0AC278D9D05CA6471C90E37F49,SHA256=07D5B0A62995875C38C09077EEE37AB2A590024B40017862938C79E8BA58AB81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:15.350{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970A1305603CCBEDB3BCBD3AB8E05FFF,SHA256=1A998074DC6545C2134CFF1BEFAA0A51ECDE4EF50080B06A1DC3D81BCD862A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:16.503{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B12A5FF4C3E76B4012276FCFD53C274,SHA256=3BEF5F298C0BB09FF02D67776B07F9F1E3C397B034EDA1CDD53FE9E4EA48053D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:16.427{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D527AD2101FFC38AE66B8CEC229CE881,SHA256=A37900F9C9EE91EA0DFAFBD3235283F48870572D46960BEECFC77789ABD73A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:17.591{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8A5F5719C1927676E20FDD5255F13D,SHA256=3CE513324815EA4D0D6CD170F7CE7C990B776E326E2EDFA9E2577A3E25B61050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:17.494{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484E7BFC3A73AB95C385CC7AA0137133,SHA256=3E2E83208659786B0B3677F7EBA95F3CBD18CA48BB65E96AADADA94765791D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:18.686{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13D22794CA485213ABB4FC4761EB633,SHA256=B189DA8D935D940E5613A44CA2FAE9890FED4D386004A7FDBF222FD9FB0BC3E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:18.566{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B4F991A4AA32A397C1528FF3F64201,SHA256=FB48730B9FDB71437D525260CF016BFE391510E8F8930EC84F447CE47C8821A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:16.984{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50516-false10.0.1.12-8000- 23542300x8000000000000000394046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:19.635{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD42F6F7C47613F2AB5A41C92BBD9DF3,SHA256=19827C88344BCF5A357BE2CCCACBAD099EAA32AC021CF7D06E7376CF3734EA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:19.790{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3700EA4CD0530EBF92EB7BBE5A9EC9A,SHA256=942213939D661E51517E368524B1931E43EFA5527E03C680A86858B09E59F70C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:17.513{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54145-false10.0.1.12-8000- 23542300x8000000000000000844845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.902{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=084A1BA6B99BA9164D1FB6D322A2C9B3,SHA256=785140D396212DF0067832165BEDCFB0C3816C9F437C8395769281DC8F906905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:20.726{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14F02691CBD87D76868D4504DBF0D9E9,SHA256=DC064D198BB873A140D7B5BD51F66770AF9633C3F5DCF2975A62BCE695F9BD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:20.177{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-066MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.643{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000844843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.639{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3E5950741A9FDAF0D892CDBAC8FC64,SHA256=4F0EB197BB7CE3F3C8635AE518DC67E24E97CF712F86F76DFDE7C120BB286774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.638{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.631{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.629{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.621{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.619{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.617{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.611{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.602{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.597{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.595{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.592{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.559{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.552{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.535{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.523{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.514{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.505{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.505{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.505{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.505{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.505{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.503{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.497{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.497{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.496{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.496{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.496{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.493{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.493{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.491{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.475{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.461{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.447{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.432{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.383{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.378{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.219{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76afa|C:\Windows\System32\combase.dll+6d8bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b203|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000844805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.219{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76afa|C:\Windows\System32\combase.dll+6d8bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b203|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000844804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.203{8A63456F-2418-6387-9102-000000009802}21205920C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.203{8A63456F-2418-6387-9102-000000009802}21205920C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.142{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76afa|C:\Windows\System32\combase.dll+6d8bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b203|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000844801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.142{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76afa|C:\Windows\System32\combase.dll+6d8bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b203|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000844800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.109{8A63456F-2417-6387-8502-000000009802}20564120C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000844799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.109{8A63456F-2417-6387-8502-000000009802}20564120C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000844798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.109{8A63456F-2418-6387-9102-000000009802}21205680C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.109{8A63456F-2418-6387-9102-000000009802}21205680C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.109{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000844795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.109{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000844794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.080{8A63456F-2418-6387-9102-000000009802}21203048C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.080{8A63456F-2418-6387-9102-000000009802}21203048C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.080{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.063{8A63456F-2418-6387-9102-000000009802}21203048C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.047{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.047{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.047{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.047{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.047{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.047{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000844784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.047{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000844783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.047{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000844782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.047{8A63456F-2418-6387-9102-000000009802}21205884C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.047{8A63456F-2418-6387-9102-000000009802}21205884C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.031{8A63456F-1471-6387-1600-000000009802}12801568C:\Windows\system32\svchost.exe{8A63456F-248C-6387-B702-000000009802}5896C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.031{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-248C-6387-B702-000000009802}5896C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.010{8A63456F-2414-6387-7E02-000000009802}4328992C:\Windows\system32\csrss.exe{8A63456F-248C-6387-B702-000000009802}5896C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.010{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.010{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.010{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.010{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.010{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-248C-6387-B702-000000009802}5896C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000844772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.010{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-248C-6387-B702-000000009802}5896C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+4158d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000844771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:20.018{8A63456F-248C-6387-B702-000000009802}5896C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000844871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.957{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114E6C072A311AC9C60A2D7028D409FB,SHA256=CE3C8D5E3B427A4C3AD62A13E303C300FDBCB8D0A53E21C4CEAAF659CA530637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:21.788{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C088BB898D4D604CC6DBB54BDE725901,SHA256=B07A88DA30956AFA4AC0B5387720FA765180BFD63DD26ABD03B78D8CE4B94A23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.454{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.454{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.454{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.454{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.452{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.452{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.450{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.450{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.143{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000844861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.143{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000844860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.128{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.128{8A63456F-2418-6387-9102-000000009802}21205992C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.128{8A63456F-2418-6387-9102-000000009802}21205992C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.128{8A63456F-2418-6387-9102-000000009802}21205916C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.128{8A63456F-2418-6387-9102-000000009802}21205916C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.128{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.128{8A63456F-2418-6387-9102-000000009802}21203048C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.128{8A63456F-2418-6387-9102-000000009802}21203048C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.128{8A63456F-2418-6387-9102-000000009802}21203048C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.111{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e30c0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.111{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ba330|C:\Windows\System32\SHELL32.dll+e307c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.111{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3050|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.111{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000844847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.043{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=964ABA57C1660EE3B4F08C3E7A843DE3,SHA256=954FDF266CDE60A2C5AFD5D7B08DC3D2343D3A27461E2203E0AA8B7C25A14F67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:21.019{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000394050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:21.179{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-067MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:22.876{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0338182D191DE9C27B3DA566F680BA2,SHA256=A8643F182D1F2A4D16A8689115EB91F9E23385DFE3F8F58AF53041DA1045C466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:22.670{8A63456F-245D-6387-AE02-000000009802}5168ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-11-30_093817MD5=3855DBEDC347549A9CD80950D35CB0F1,SHA256=6145597A68BD65AAD14576269CE8621CB30C749B2EED82C89243436DD5B2D1DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:22.655{8A63456F-245D-6387-AE02-000000009802}5168ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=1430C209EFF7FD5583D3D311A56A889C,SHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:22.079{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1CB177B5CFEC14C84E33AFB020CE42BC,SHA256=FB2F3BA265C04911B41410FE61631007A2FBAF5A467E40AF1E48CA02E11582B4,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000844893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.744{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000844892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.639{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.625{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.616{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.614{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.586{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.580{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.570{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.565{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.564{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.561{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.559{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.556{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.554{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.553{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.551{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.550{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.040{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000844875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.038{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD9D5A3F74129ABBBB0DB851DA56B0B,SHA256=C28B60B8D218C6D2CB59F4B946EC9DA4F75A071458197B72B280B6C72FE5C651,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:23.038{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000394082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.650{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.647{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.644{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.642{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.641{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.639{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.638{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.635{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.633{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.629{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.627{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.621{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.618{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.611{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.605{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.602{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.588{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.582{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.574{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.567{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.559{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.535{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.529{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.522{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.515{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.507{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.496{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.487{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.483{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000394083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:24.248{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F27F587166822361D1B4F913A9BE44B,SHA256=43947B9B84C5350A6E1AB3125AE7A3B38721337DE389B5E3D01CB5503B1BD1AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.924{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E04A8512AEBDF73DA18EF7B5D67A5868,SHA256=26E60029AB4C8E6DA1CDDE91EDAB724E3BA8CB333CA764446F57ED4FA7181AD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.568{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.568{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.567{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.567{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.566{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.566{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.566{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.566{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.564{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.564{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.518{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.518{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.518{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.517{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.514{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.514{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.514{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.513{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.507{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000844897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.507{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 354300x8000000000000000844896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:22.537{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54146-false10.0.1.12-8000- 23542300x8000000000000000844895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.345{8A63456F-146E-6387-0B00-000000009802}644NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.datMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000844894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:24.126{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB10D202AE4CEF45AE6CC55B40DE23C,SHA256=98F27F3F21899FFAD45D4F94E5F1FA44B30E8B4BE21C617A338132C7C94E9369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:25.384{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB3208ABE55A0A308FA7F8105BAA11E,SHA256=9634C2DDF9259612B9E8A371C5A51996F49D0C02CF1CDAB3D4EFB7D0CD4667B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:25.644{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000844921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:25.644{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000844920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:25.644{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000844919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:25.644{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000844918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:25.196{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66DCBFA3A6C866500EADD28DA3E29DB,SHA256=BF411AD4B971DBA78D7E062CD47B5C1B376957E01AA098F69AC517251222FE43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:26.473{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E173C7DFBCB71B84E2EFA3FE7DCB1B34,SHA256=B15FF7A17764A32C7A745739F1395020231A7A67FBE65ED9F816CA25CAD6692D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:26.486{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000844931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:26.486{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000844930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:26.486{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000844929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:26.486{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000844928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:26.486{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000844927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:26.486{8A63456F-2417-6387-8602-000000009802}18481560C:\Windows\system32\sihost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:26.423{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000844925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:26.423{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000844924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:26.423{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000844923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:26.276{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0A6FF747B8C3FE032AB15BCD7EA473,SHA256=A1F69148857E2E143D7B28C1B5C0BAA06BF03966ECB44645C254D12C30B2E497,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:23.000{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50517-false10.0.1.12-8000- 23542300x8000000000000000394087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:27.567{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C81ABD5A4BF15769AA6E837C8B6606,SHA256=3FC28A4661113A727D074F754E1EC68F88D404A3E373E1E7287E1A43288AB7C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:27.363{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC33D1DE9B9D8E7F718DC6013231BF0D,SHA256=CF4909396EFFD31A91C1863B921320DB152C51FC52B828D0DF0EDDBEF7BCECB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:28.650{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CDC19F42BDFE8466391E01CB2F7FE9,SHA256=DF541C268CCB62A3D143370AB203297C30F999B130E70008ADFA836486789DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:28.458{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49068A3C67A08D05C716F4B6830FEA0D,SHA256=E7ACCB7454FDB3B825C4FC2638B3353349D0283B04625ADDD6E774992C7CC9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:29.720{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A148E5B42342440793985460F3F7716,SHA256=FB6F8182CB02BE41154C0021A04E91282564CE0A8C89F2768338F7256C81A8FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:29.562{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A98A2BCBC230A96AD8A6DF965F084E9,SHA256=FC69803ED94DFD33DA0A5140311FB114F62DF2ACC2C808305602703ED5DA5511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:30.796{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E23C8F2BD85E1800209D0A5EB65546,SHA256=B4F4E9920F96A0AC6E46FAF75C1178F3DDD9F1256870ABCB6FAD5343DE9EF6FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:30.653{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26908C0B3277E13D3516A7463FF25CB9,SHA256=6A4DD35591BBB219D60A3D8BD99A8127F8E01F94DC1641D32584F7A7ACACA930,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:28.531{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54147-false10.0.1.12-8000- 23542300x8000000000000000394091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:31.865{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1042C915085EEB1FB520BE42D72F5FC3,SHA256=CE7A936B91D3823A572285FDB442D0D933D1E2F93A484B7D8C0C3C7C6C08313A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:31.749{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A516B4CF3BA1CB9C26151A2DD38EA3,SHA256=B815BFD4CC6E4C180F84EA92C231F19A9F413BF142DF9432A19A9B329918B690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:32.960{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485CD68AFCCB5CAC064340B4BBA02ADB,SHA256=00FBC1E78260C0D0DB18306CEC6A3EC6E0F23C599B0A85B9F501009A68FE61C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:32.828{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB9DF83E7051D239C8B7D9723655C79,SHA256=D1AED06473C31AA6077750C1960E26819C7C4C6D68D5BF653AFC5E376E201AA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:28.895{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50518-false10.0.1.12-8000- 23542300x8000000000000000844940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:33.896{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B2FDD41FDB3A41D32ECC644A5438FF2,SHA256=7D07C22A9730CF4E44FEBC6A45BA372E641048779C03D6777B8CCA61D7A547F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:34.981{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E29DACA2B06226009AF04F2C9E09A7F,SHA256=81B812230A9DBF6231CB787EE47E8E70E4790E13E0C6202098DB72EF0991BFD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:34.044{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746DA4E1A4267EE6DC16E56BEBDBB305,SHA256=5DE1100ED4A1AF84CBC77A8E27B53CC3A08B5E978AE311D2D33EE012D99F1FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:34.868{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-066MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:35.138{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50755EDA55EB64FFBA424FDD1F736A4B,SHA256=7309668FA54C6E8B3FE7A30D6275569CA6E5C3F707D4371B6C366B52744B2D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:35.867{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-067MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:36.227{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779490C2FE33146F56D7A227595F9CB5,SHA256=DA4DC5B823226AD3B74195A6FCE4A97C61989AD51D233018308F779D4A272F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:36.991{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=39D45C27E5FAED2421EDB11258AA437F,SHA256=BC32B2B813568EC67CF326BEA861EAEF3845FC9E7EFD8164C8CE15173A9045D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:34.495{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54148-false10.0.1.12-8000- 23542300x8000000000000000844944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:36.080{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1D858EF516EB2BC4BE0236238FA3A1,SHA256=1EF5A868F7FA5A874F570538DED81F39613614D705F97D52E7EE34B755450B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:37.302{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5898900A42F99172F566644362E347D9,SHA256=840125C33138F16B479FBF5814AF173B2F8BBFE2F75A9D07C6CE36CA440BBFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:37.170{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9A9A996C32FF3337921C9243B44413,SHA256=197E3E4EF8F5F3AB0596478BA8C3841907565D72494E7C30678FA97A96825A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:37.190{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=37989E89EDDBA8C77900AF5B6C37DC14,SHA256=3B9F0C8C440EBD9B5C47862E7DBF6249F9A3442346AE3E0785906F41F7F41AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:38.388{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075350548FE83DD72609C9EF3FABF929,SHA256=28BECF8BE1261EC7941F6112870ED2C3DBEC8DBD9CE0200EFC04055F74411EF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:34.788{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50519-false10.0.1.12-8000- 23542300x8000000000000000844949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:38.334{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=17549E5E6FAD347AC04D0536BD2C63B6,SHA256=839797B7ABD89CD7CAA25BF26BBB24E6DD3708CC4C35360FFC9F06C1E8E430CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:38.256{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB942171E1DADF6310D11641899F3D2,SHA256=2C4A6F5767C8A779774C79A29C6EDF03385D61DD5E9DED5A47A3EFA511237865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:39.376{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC722F48048AD8D1DAE0CCC586DAF804,SHA256=8F1E0D8E4BEEC2A850338D541D242BCBFA71B6054AA51F44C92D232DEC597409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:39.325{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0FF51BF3FF0439880043D52C6B912E,SHA256=C6E859D7577E6DAF70A7CADAD56CDC4F80BF4E9066C8C84FD8F67952C8F4C0F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:40.464{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B1B26868AE55B97201BD6440E8F0FDB,SHA256=29E481D52DDA2876485AF8368A91AECF7E3B7AFDE1B7E90F84E01F1F3D9AA884,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.868{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.864{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.856{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.851{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.844{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.841{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.840{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.832{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.821{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.817{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.809{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.794{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.753{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.742{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.692{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.671{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.648{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.630{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.610{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.582{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.557{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.536{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.508{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000844953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.423{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29E8C6055B8020047EC159CB46A3CB2,SHA256=9AA6C1829FD7B7ED2F4D72D009D34997759606AED70ED29D9CF9C1590CD4695B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.405{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:40.400{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000394103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:41.552{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C3AC064FCB0EAD2F0882777FE81CB6,SHA256=14B734C48517D503A505DA0CA53DE5D3A0973BAF3DC240D7738C735491A84722,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000844979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:39.578{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54149-false10.0.1.12-8000- 23542300x8000000000000000844978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:41.450{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570B23696DEDCD3E3A00FEB3DA036E01,SHA256=DF50D0732922AB5D9BF3D24E5289F2E1ACF090074B34AEEC837144F3557332D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000844977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:41.279{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000394104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:42.639{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40D8D53217DE5E95688D6527DFFAB23,SHA256=0C1F2CDE2394E671EFF6929F933A9749D73F6CA1A9FA0D6A0B09325F141DE018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000844980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:42.514{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F9F9F920C2E7467F4E1412BFE58B57,SHA256=F59C60ACA70DE303423E4820D03703370C6AAE8E624E157C5D2BF9DB933A6745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.705{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8961B91F4F159380556798D1D5C85954,SHA256=344667BB740FBA54D04FDB3A5E76901317022DCDA14CB4D40220708FA96419A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.656{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.654{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.652{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.650{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.649{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.647{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.646{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.645{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.644{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.641{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000845003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.951{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.937{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.918{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.916{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.876{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.870{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.858{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.852{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.850{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.848{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.845{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.843{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.840{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.839{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.837{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.836{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000844987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.569{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49543D59FB13DBC8828AEBDFDD8CFF3F,SHA256=9F5C617B6EEE3B68E9EA8A9E5CAD868066CFA6257FBA2921ADB783177FFCCC56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.639{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.635{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.633{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.627{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.622{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.619{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.606{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.599{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.592{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.585{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.579{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.555{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.545{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.540{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.528{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.516{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.507{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000394107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.499{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000394106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:43.496{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 354300x8000000000000000394105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:40.813{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50520-false10.0.1.12-8000- 10341000x8000000000000000844986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.323{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.322{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000844984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.055{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.055{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.055{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:43.041{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000394136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:44.682{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B355C89242556065E7B51AB5B617877B,SHA256=13C59F389BC50C79143FFE4F4ECD7E82AF25E969248929BA2387AFD85F26089C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:44.637{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF50AC00B91A6BCB2731D2F4DF7AC201,SHA256=BFCA9B64F8E5D90BFE2D84542F55EF9FCD4DCA5D36F5D78561BA59DAC0F5DB51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:45.764{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC7C41AD358D78A9ADD2B68C928DBC5,SHA256=E015A5DF06EE59D6C33BF16A95C359E70982E5D66F0EAE6B65DBF78DD135212F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:45.727{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7533C7DFC5691FAEA4D0C2D2CE01FD,SHA256=FEEDDDF10039ADB7C8FDE26924EE70477D30BDF7F314B53A21AD56255EEF5DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:46.828{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=541C68DA84BC094BD7A061948FA128C0,SHA256=A635448180C0DE37093513C74CE1144E3C15E0930585154F84D76343C938E744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:46.795{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C974423F32B285A76ADB46DC381CA1CF,SHA256=D62B66D5BF791D4881CA231ABF43DC6D6F371FBF9C38982B6B94E97BF7600EB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:46.224{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000394140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:47.904{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC8528A2A8A65985BEE38B0415C2FA67,SHA256=48A1423966BA7D0B2E9B43F55B99E3D9B57430E32E2CB4D8CB6AC715C54FA2A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:47.873{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCA27DE185D7BC49EEF93612C40458F,SHA256=FCE4BEC65695F92DACCA80BA1A3D79BC69C24FA1724C45920C3A01204AD461C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:44.593{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54150-false10.0.1.12-8000- 23542300x8000000000000000845009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:48.952{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC8AF6428DF5A9D48AB9D3D2C05D571,SHA256=40CC9B351DA48DFB1F1D856342D602B946F030233F9E198231F93579C26E586C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:48.990{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B7EF6E8A06CCECB9692E2BDF78FB14,SHA256=B51CB15A3755C257E1B482C08FB0153F955397A9FD394EE1F66535F2DEC31E08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:45.962{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50521-false10.0.1.12-8000- 10341000x8000000000000000394157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:49.956{E56ECBBF-24A9-6387-8602-000000009902}11084008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:49.800{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-24A9-6387-8602-000000009902}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:49.800{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:49.800{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:49.800{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:49.800{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:49.800{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:49.800{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:49.800{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:49.800{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:49.800{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:49.800{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-24A9-6387-8602-000000009902}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:49.800{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-24A9-6387-8602-000000009902}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:49.801{E56ECBBF-24A9-6387-8602-000000009902}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:49.753{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:50.039{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3141E7C6A9790F5616DECE7B72619BF0,SHA256=A262A188C342DFB1DC942E436D34F78FC61A9353A12E0F1E4794A37C3F170348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.898{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=625CAD1AC0310454DF2E1931586FF772,SHA256=058543D3DA6530E5C33BA6E0C18E7FA2D366EE9B2635E9049C42508829D2C865,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.476{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-24AA-6387-8702-000000009902}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.476{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.476{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.476{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.476{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.476{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.476{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.476{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.476{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.476{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.476{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-24AA-6387-8702-000000009902}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.476{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-24AA-6387-8702-000000009902}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.477{E56ECBBF-24AA-6387-8702-000000009902}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.127{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9F662F863F99F28D0E6BD98B730BA2A0,SHA256=59D4A15EDB5FB7F4624AE74E4C4AD48F13BD33FED42A80FFCEE15C7B44ACB701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:50.083{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF813597CC9D376603978DB01A95EE2,SHA256=B39761C10BC730B6D7E9B91C58173763048394A7349FE6A915BFA547C37501BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:51.151{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1E870D4E013F5009A9FA92357204C4,SHA256=B7E3EC5D11A897DA78A2B2AE7FCD0CFF97D84FA224EC07A0B690C7572E35A204,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:48.489{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50522-false10.0.1.12-8089- 10341000x8000000000000000394187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:51.214{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-24AB-6387-8802-000000009902}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:51.214{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:51.214{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:51.214{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:51.214{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:51.214{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:51.214{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:51.214{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:51.214{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:51.214{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:51.214{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-24AB-6387-8802-000000009902}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:51.214{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-24AB-6387-8802-000000009902}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:51.215{E56ECBBF-24AB-6387-8802-000000009902}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:51.167{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2562C03D7FAB991104ACBC123292597,SHA256=650DCB6BC6DA00929BE9E670639D3EE17362AF960C2E05D32703329558098D80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:50.580{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54151-false10.0.1.12-8000- 23542300x8000000000000000845013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:52.952{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:52.261{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022D30F5012CF3DA5ECDF457DE10B4DD,SHA256=700B3D0E2E4AB6DCBBB5EBF5FB55EA36794104DAC9430AEE3112346D192B6B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:52.289{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5FFBE5076801E8818AF179D565F26010,SHA256=A42BD321BC81B11E9006CF26944FF6C6DBA37BD18C0308181E47FC4B08B6C0B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:52.274{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134BCD25D50267E375DF9D63D2271229,SHA256=D6ADAFC4358D95FA20230DDD5120504C89735B03DB0840832291FCAF9366B5C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:53.337{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2D97B2E5280E3CDCEF29138BC4BAD7,SHA256=EF87F9A3E06617E17BD0F16354841F8F5B5E45D4A2F55CB23C0F5C7BBE4E2631,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:53.717{E56ECBBF-24AD-6387-8902-000000009902}8843344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:53.545{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-24AD-6387-8902-000000009902}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:53.545{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:53.545{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:53.545{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:53.545{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:53.545{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:53.545{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:53.545{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:53.545{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:53.545{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:53.545{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-24AD-6387-8902-000000009902}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:53.545{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-24AD-6387-8902-000000009902}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:53.546{E56ECBBF-24AD-6387-8902-000000009902}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:53.373{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B355AA25F1F8615B6D96FFDD6C21D50,SHA256=A316A61F9EC3B074CC60EA5C837E25E386828E20BFA7939EB6D9F06DA1340E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:54.408{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9917AC8C4CD7A47AE4384244AA981F,SHA256=B112325F500F12F8D7C0ED41434BD98B1048D95FD37CE6523983A892C6007351,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.896{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-24AE-6387-8B02-000000009902}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.896{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.896{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.896{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.896{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.896{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.896{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.896{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.896{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.896{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.896{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-24AE-6387-8B02-000000009902}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.896{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-24AE-6387-8B02-000000009902}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.896{E56ECBBF-24AE-6387-8B02-000000009902}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000394221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:51.870{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50523-false10.0.1.12-8000- 23542300x8000000000000000394220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.677{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5495EA91C28F5D91A7865DBF8284015F,SHA256=67191EEE4A89A14725DFAC7313A87CEB1B7DBED427CDFD46405DF74FD338ACCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.364{E56ECBBF-24AE-6387-8A02-000000009902}848452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.224{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-24AE-6387-8A02-000000009902}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.224{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.224{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.224{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.224{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.224{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.224{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.224{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.224{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.224{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.224{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-24AE-6387-8A02-000000009902}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.224{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-24AE-6387-8A02-000000009902}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:54.224{E56ECBBF-24AE-6387-8A02-000000009902}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000394249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:55.824{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-24AF-6387-8C02-000000009902}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:55.824{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:55.824{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:55.824{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:55.824{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:55.824{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:55.824{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:55.824{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:55.824{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:55.824{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:55.824{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-24AF-6387-8C02-000000009902}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:55.824{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-24AF-6387-8C02-000000009902}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:55.825{E56ECBBF-24AF-6387-8C02-000000009902}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:55.808{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53B85E4570B23FC3746C27B38C029A2,SHA256=9CDD3D956229ED5818E099BAD9F42175225E1DDC841ACE46C92C1D7A89D1B7D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:55.494{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CDA32BC37C14602928EE0E65C8C4BC,SHA256=85243BDE1222D7725FE6D8541AED625F7F0E62894BE564125938066D7B723B32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:52.377{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54152-false10.0.1.12-8089- 10341000x8000000000000000394235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:55.043{E56ECBBF-24AE-6387-8B02-000000009902}34843140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000394251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:56.906{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDEC3B9F22F992E54DA4F94F7B42BAD,SHA256=948F203EF1CEFEAC0A4DB6970655668EDFD7206399B6115B660FA88D55EE69E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:56.591{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16697BDA422236648C820A8BF39163BE,SHA256=798F7F12B568A8413AF1D41CC33318C566181F208A2072BD7B246FFFC4D90CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:56.014{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61476DBAC89998E9A91F4EE9CC15C671,SHA256=A8E990D53327A0EE3F92E020C71ABC336B33A11D516E46AA6E418CB9BADE2118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:57.994{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316F1E88099F0EF85EF216AC8867D441,SHA256=51373E0B85011CA4D1E1691E1CEE8D21DBF2170DA7782CCD8318459BE58D953C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.846{8A63456F-1471-6387-1600-000000009802}12801568C:\Windows\system32\svchost.exe{8A63456F-24B1-6387-B802-000000009802}5132C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.846{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-24B1-6387-B802-000000009802}5132C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.830{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-24B1-6387-B802-000000009802}5132C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000845032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.720{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3B311D162BC38DA6287513B512B382FA,SHA256=D0B45CFE9835CE8903AB7C9B5D39F58366684178C841B431690AF4170CAD73F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.689{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A325360B63FBB4040EA740CBCBD786,SHA256=445232D5CB76F9F54D6F3959AB2EA5676EE08C2B89463926948611CAB1AC5831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.658{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.611{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-24B1-6387-B802-000000009802}5132C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.611{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-24B1-6387-B802-000000009802}5132C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.347{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-24B1-6387-B802-000000009802}5132C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.269{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.269{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.269{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.269{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.269{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-24B1-6387-B802-000000009802}5132C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.269{8A63456F-1471-6387-1600-000000009802}12801568C:\Windows\system32\svchost.exe{8A63456F-24B1-6387-B802-000000009802}5132C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+ac80|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.254{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000845047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:58.655{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B427663B28023D213B890D4E42BB6E8,SHA256=0E78061E3A44FB1FBF00BDCA8A9D174EB6F9479563BDE8BD682A45306EE0108E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:58.415{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:58.415{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:58.415{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:58.413{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:58.413{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:58.413{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:58.411{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:58.411{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:58.411{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000845037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:58.398{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A5F621A5EDEC6D10B67A9C2C96631E3,SHA256=A635561D7D44A45D3F40F407A35BA0777964BDE67D06AF427EF868232CCB5A92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:55.602{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54153-false10.0.1.12-8000- 23542300x8000000000000000845052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:59.752{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FC6DBE307B33B9FB6B88E75043DB86,SHA256=A0D40285874F9540BA3B05BC160C69FAEDEA90E868DE806F3E2E0A8059D096B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:56.956{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50524-false10.0.1.12-8000- 23542300x8000000000000000394253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:38:59.088{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC57FCE0292311D1CF8E43B88486050,SHA256=2F91E7032E1FDB4540A9A7B899FC5FFDD5D66B31BB6A5676990B1A9D184DDBBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.219{00000000-0000-0000-0000-000000000000}5132<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54156-false72.21.91.29-80http 354300x8000000000000000845050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.147{00000000-0000-0000-0000-000000000000}5132<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54155-false34.102.187.140140.187.102.34.bc.googleusercontent.com443https 354300x8000000000000000845049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:57.127{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local57356- 354300x8000000000000000845048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:56.762{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54154-false72.21.91.29-80http 23542300x8000000000000000845078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.808{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895D525A562BB8DB6E1088897C0965EA,SHA256=1F7604A3BB6BCF42F22842A299C81594DB1C3A0818BCCDF7430B296085F07837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:00.176{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A041C387F10D3543659D626B6417751C,SHA256=AC6EBFE5B623D9BD0B45BB467079AC31EAD55BD388165C840481C0B9B5F574AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.665{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.661{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.654{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.651{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.645{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.642{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.642{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.634{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.628{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.624{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.621{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.617{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.587{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.578{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.549{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.538{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.529{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.506{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.494{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.480{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.468{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.455{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.444{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.385{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:00.381{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000845082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:01.893{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A059005B882DB690A1481FFEE0B89E,SHA256=6284C8A8C57A829CDEEF91F4594F45D8A52C1A3EB7F0B8B496A4678666A1C817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:01.255{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD23D55589B2D2505B9C8C1C2F9F415,SHA256=82D6543B69475328EAC5C3CC962F5142AC3A561A10F81D283CA6D77BAFFA2A4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:58.443{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55949- 354300x8000000000000000845080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:38:58.412{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local55949- 10341000x8000000000000000845079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:01.101{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000845083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:02.973{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEA6EDB5D9C3393844C3BD8558BA997,SHA256=90B3A32A439B136B29ED48AE426AEB768A2DAF31010128DDB848F6D26F2DE47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:02.350{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F37C378857578F1DD1BB629BB5D64AA,SHA256=978F6B70048D8DF30FA8BFC3FB676079754EA3DD608F358862D54AA52DF14E50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.698{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.692{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.689{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.685{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.684{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.680{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.679{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.675{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.673{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.667{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.665{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.657{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.653{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.643{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.638{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.634{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.618{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.610{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.602{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.595{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.587{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.543{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.535{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.529{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.518{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.502{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.492{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.483{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.479{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 23542300x8000000000000000394258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:03.440{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF7AFAD5AB0C4F6BC3CAA700428B508,SHA256=365605BD684AD8A1979F3875B4E71F2EF93A105CE5DC751839B348B121F0E372,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.778{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.760{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.750{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.748{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.713{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.706{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.691{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.683{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.681{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.679{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.675{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.672{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.669{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.668{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.666{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.664{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.143{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:03.142{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000394288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:04.894{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E961FCB14BFC9894BA5959F7399EF1A0,SHA256=444EA406D925CF6ACDE90D1CAF0902BA539A2490C90B518C3566C31ADCF5C93C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:04.879{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-24B8-6387-B902-000000009802}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:04.879{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:04.879{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:04.879{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:04.879{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:04.879{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-24B8-6387-B902-000000009802}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:04.879{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-24B8-6387-B902-000000009802}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:04.880{8A63456F-24B8-6387-B902-000000009802}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000845103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:01.580{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54157-false10.0.1.12-8000- 23542300x8000000000000000845102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:04.033{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B6A2E403C4B0FB1A5858AE631990AA,SHA256=1B78070E31C466CBDC74B0CE86294B24C96E7E104BE6659FB5CB61BF189C6964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:05.937{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5015894CF62C0D068DC1EC092250883,SHA256=4C7AE19A3D398D355FBCEFEACAE54E5F86B40DF89F16CE9188A83E312C812AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:05.907{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ECF036FE02704ABFA6F424FA57F4A59,SHA256=3F51E4AA0A82DCE910A19F7358FA1FFE3360750525CE58F1B1C89D73739E944A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:05.751{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-24B9-6387-BA02-000000009802}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:05.751{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:05.751{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:05.751{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:05.751{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:05.751{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-24B9-6387-BA02-000000009802}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:05.751{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-24B9-6387-BA02-000000009802}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:05.752{8A63456F-24B9-6387-BA02-000000009802}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000845112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:05.215{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D61317E94715C547D0182AE7C76ABC,SHA256=3506807CA6E0ABA4F599275936A8C9C98C3D36C3642A3C74059DA1DFC98D9984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:06.289{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9713EA04940F6E4DB199374C518A328C,SHA256=F982CA814ABFB4F63E62E5DDE7D225CB3E162A32D217F51710BC84D60089807A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:06.242{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-24BA-6387-BB02-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:06.242{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:06.242{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:06.242{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:06.242{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:06.242{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-24BA-6387-BB02-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:06.242{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-24BA-6387-BB02-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:06.243{8A63456F-24BA-6387-BB02-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000394290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:02.904{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50525-false10.0.1.12-8000- 10341000x8000000000000000845122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:06.002{8A63456F-24B9-6387-BA02-000000009802}46882712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000845134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:07.658{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=987655AEFFF0596DD989373018600B50,SHA256=FBF13BFD789CCC6651040AA6F411412310EE78771E17F0D867303D694FE7B945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:07.361{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC33C6EAFB924CDC0166FF4CEF0EC45,SHA256=889DAA31F537C4054D7E98CF5D9F4D1FE5FE6E68C3AC589E37B32222BEDCBB94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:07.018{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65C00506832091B303418854DD40020,SHA256=04A6C5BF0100C49C1257F8E43C10051B8801741DA277CE7A4FEAC605FBC8F3EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:07.127{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=14D436308A485FA1E1DCBA13912BABE0,SHA256=1E481922981EFAB87FA8A2ECC3D9E2282C75A4ED6E82885B7072B0ED2DB528B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.919{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-24BC-6387-BD02-000000009802}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.919{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.919{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.919{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.919{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.919{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-24BC-6387-BD02-000000009802}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.919{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-24BC-6387-BD02-000000009802}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.920{8A63456F-24BC-6387-BD02-000000009802}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000845152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.669{8A63456F-24BC-6387-BC02-000000009802}34885460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.544{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-24BC-6387-BC02-000000009802}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.543{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-24BC-6387-BC02-000000009802}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.543{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-24BC-6387-BC02-000000009802}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.542{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-24BC-6387-BC02-000000009802}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.541{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-24BC-6387-BC02-000000009802}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.541{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-24BC-6387-BC02-000000009802}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000845145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.428{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB748FCD24938976BDCD1FBDFCFF4F6C,SHA256=A4F6E00DAA9FA05DAC9EBF9A3DF9A33D8106F4030BE3D76219CE3DC22B74E139,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.428{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-24BC-6387-BC02-000000009802}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.428{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.428{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.428{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.428{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.428{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-24BC-6387-BC02-000000009802}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.428{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-24BC-6387-BC02-000000009802}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:08.429{8A63456F-24BC-6387-BC02-000000009802}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:08.109{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F17609D3DA0C50432F8EB7F70BD6094,SHA256=8E74A06ED2F8C674C485E4A61E8B24BFEA78488C450BFD321C6D1BAEF724D97D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:05.844{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54158-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000845135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:05.843{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54158-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 10341000x8000000000000000845171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:09.751{8A63456F-24BD-6387-BE02-000000009802}46603420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:09.541{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-24BD-6387-BE02-000000009802}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:09.539{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:09.539{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:09.538{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:09.538{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:09.538{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-24BD-6387-BE02-000000009802}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:09.538{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-24BD-6387-BE02-000000009802}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:09.537{8A63456F-24BD-6387-BE02-000000009802}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000845162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:09.537{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A1D5926C479C2534FC28B3FB3F7377,SHA256=B49B87B40917F1EADCC9F6C0939F8840CCE4090CA745CCE8118EA93F3B81A569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:09.189{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7104BDE4F194655941BCC653F9A90C5,SHA256=3A016A4076CF5B3400BE6E82571BD5DDDC3B92789B6DDE4ED18AB17B7E3FD6D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:09.098{8A63456F-24BC-6387-BD02-000000009802}49045376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000845173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:10.600{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=751560AAE04B5B2CF461534408052A69,SHA256=9E04FC0636682616D34253291D0649D20FB6E812B633E9F89E01FAF599B80478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:10.382{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B897B630AE088D9D7D8C6B2280718C63,SHA256=98B71FFCBAEE9B084854DD9BE8C910447E7D0965982F6E11359F3C25C7B89E62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:07.482{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54159-false10.0.1.12-8000- 10341000x8000000000000000845182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:11.738{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-24BF-6387-BF02-000000009802}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:11.738{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:11.738{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:11.738{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:11.738{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-24BF-6387-BF02-000000009802}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:11.738{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:11.738{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-24BF-6387-BF02-000000009802}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:11.739{8A63456F-24BF-6387-BF02-000000009802}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000845174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:11.685{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41552A7E4053F81395549446E4F9ECB,SHA256=C5F9888C377B1F20A8C75147A685C8FF1AAD585FF1EBBDCE98278BED1AC46964,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:08.884{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50526-false10.0.1.12-8000- 23542300x8000000000000000394295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:11.474{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB1D54072A2DFD835E2CC5E8EF48E40,SHA256=FD9D3E5693E05EBD47033DA614431A1CC48D36E3EE0A90617840F50CD17CDEAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:12.817{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=710519E334C15DD09C2568F50B035C20,SHA256=F9159E5BE76F2E1D83FAE5C4A9AFE03062EFC54CF7F6E870477EE2D37B0873B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:12.798{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF2699026654885326DA678CA8AA6AF,SHA256=4FB0B59AA3D238AE503472CD62436004D65B21A56E971330D9883EA65297CB7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:12.546{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24152B53A89F326B9E421BFE29374FD,SHA256=404D3976933368EA6F4B75385772A838AF1C4C635D4315C3782C87CF45C7B82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:13.865{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26302CF8DA178F30B6E43DBBDA33CB01,SHA256=75145C563AD56D72D57D0EF66FC893FC3542FDA912641AA0E2F2566D2ED56577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:13.633{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F955671C8F76824ECBDC19473D7C13E8,SHA256=6D02B4AA86D6E47139F696661F58186BA4E1D0A1D32B44EC1A414D2BCD740175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:14.950{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578850A706CEED24AEFC43DE235BD328,SHA256=B612E658AC501D5C04406C05F89955F8D20C44E2F63EF54DD723F5D36B708D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:14.689{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF9C33CA108E1BD22842AE3605272D7,SHA256=4082135401B6742D5B6FE131A6157626ADCC0433AF3BEAC1FDFDCA73BD66141C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:15.780{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A307DEA7FBD5EFF75D722469AE8436AF,SHA256=AFC2B102270A03E2E5793E8CC67B0D5CB3FD83F78CF7EB362A834D79030C8419,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:13.503{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54160-false10.0.1.12-8000- 23542300x8000000000000000394301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:16.871{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924CA251BEC5D1D1EE74F988C2FA64A8,SHA256=DD0A3705715306765D31F045F21878DC1770EC4DF8DBFC03C3E2C099DD3BDE3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:16.046{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309B9826F1A565CD5BDA386D5C1678F4,SHA256=4189AE8DF847559C1626E3A34454127FCCBD4FB615DE5A75B4E9635BDFCBF237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:17.989{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3731AB6E594BBF4B2354DBC6CA2D3B60,SHA256=7AE46BF21CFD45C7FB7FB11D6D06D804518FD90EBC06D98DACD70AFA4DB62F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:17.140{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38AE4202AB3A9D9F30EC19D94141B7C,SHA256=7F025A05BEFF05A882A73FDF486F0070759CC92DABB546BF1773F2095D143ECC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:14.851{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50527-false10.0.1.12-8000- 23542300x8000000000000000845190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:18.224{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398DA25C10A47A847C16F3308877DECC,SHA256=C2E50E0CCF084CEA2AE0783D60B919205853859FE682939D717ED459E7858274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:19.309{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3964483016B9C14251F801EDAD642124,SHA256=C78BAE028A938254040B91015807FB4F88F4162987731ED21F1AF0DBE627D7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:19.053{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4836C0EE834A0E097F03F180D7B1166A,SHA256=FF6AEE5C1F758E7208A2F835E8434AA9FDDCBAD15892572EB6DC62B692B46505,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.597{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.591{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.584{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.581{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.575{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.572{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.571{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.564{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.557{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.553{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.551{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.549{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.517{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.510{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.493{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.487{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.480{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.470{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.461{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 354300x8000000000000000845199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:18.597{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54161-false10.0.1.12-8000- 10341000x8000000000000000845198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.447{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.435{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.425{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.417{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.378{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.375{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 23542300x8000000000000000845192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:20.369{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19A779FF0D6C89F45448CB61F819876,SHA256=ABDAFE8DE70167C2B9728926F2665F8B523D8C0C9A38D851401622C54008BC67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:20.152{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F953C879E35402989CCD256851D187A3,SHA256=8517E6127D945B1D1E49B70AA1763F149ED378D4AEFA3D88EFA260BB14A145BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:21.653{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE21D2054307AE8257E7F61CACC8E7CF,SHA256=1D79A2618A9D4717868CBD3FCF4053177E516E5CB3F0200B9664FAA68012EAC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:21.702{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-067MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:21.647{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=09AAB0AC93BFB56E8D7F2C556A9139C7,SHA256=F9E76AB8A4FDBB26E2ED00F21EEF6C3A16800276CDD90F4D8EFC4DA1C34CE2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:21.239{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB578BA41B78E5715D6090D47F06E4A1,SHA256=BFA0D5C78B54F7627A7C652988E27D5063671D6BD1A42CDFED4CDFDECD15BB16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:21.027{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 23542300x8000000000000000845221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:22.725{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22DF35DBE02FB96F740E744FB1836AD,SHA256=0A5F2359D0040B8A5BB352D5FFBB51F286E39BB4A1425A05B981A6A42CB97E44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:19.914{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50528-false10.0.1.12-8000- 23542300x8000000000000000394310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:22.717{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-068MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:22.356{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F693246861077B06D4EAA1247C15616,SHA256=8B25C6922458515D0DC1EA182EC690EDAFE81F87FD503078BCFCF0FCC838D7A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.784{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB13459B1EA4AF30EF8C38C64B93A784,SHA256=9F38E5D3A6F91EC89A30D12682927631AB8C2FE1DB02DF860D717DB9A1B18815,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.650{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.642{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.640{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.636{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.633{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.631{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.627{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.625{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.623{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.619{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.616{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.611{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.606{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.598{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.588{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.586{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.568{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.562{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.556{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.550{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.544{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.524{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.518{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.514{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.506{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.501{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.494{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.487{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.485{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 23542300x8000000000000000394312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:23.446{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F2BFE79916D4F9825ABADA3370CA49,SHA256=8B5972E7C148A94D5FBB4E0BAF36D4B69F93CF376BA5FA65BE9DDF22DA803863,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.721{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.706{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.685{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.683{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.645{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.633{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.616{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.607{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.605{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.602{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.596{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.587{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.583{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.581{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.576{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.575{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.063{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:23.062{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 23542300x8000000000000000845241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:24.894{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71EBFCD9191AF075E5936C28E5C88017,SHA256=EDC89E6127C5018D139CD0C1C1C57FACE718853355C997E1B69700D9C0262C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:24.856{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DD21CCE08087234BA7D2A02914E6CE,SHA256=32CF4A8748C00BD4E78F691DFFA9DBE11FD3641BA5AA195AD51279B2F9A61EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:25.991{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D8AC2438E66EFEB9CEB7ED1DE4B1B8,SHA256=EDC8C420BC2CD46168128F24C155457AC7618F8F55412CD01B22DAEB30A18907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:25.948{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC3CEC6975BF8EE6F04AE45FFF3FE4A,SHA256=98DFA7965AEC9801DB18DDE2BF5C358EC459B5CBA073FBCC5F102DF2FDE1ECB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:24.532{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54162-false10.0.1.12-8000- 23542300x8000000000000000845244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:27.098{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B800850E3A80B20019140ABC393558,SHA256=5077EF42CCDA3E31D429C3CB1402E0043460C15EEEE7AC702688285DC4A9EAF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:27.042{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3591A19FBE2B10AA5365B91553C2ACA3,SHA256=E8598D606F0494AC3D4677FE85741D91F25C953C0102F8B8DE36F6374A0E8ED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:28.177{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8249ADE1E36B007015C73C2E886D4E44,SHA256=B02963832AD0F29DEE2DB0A98F6AC9FAA442296450555F4A2B66FC8DDEF76809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:28.138{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBD5BCE7A10AE240417248478ACF30A,SHA256=2BA413E4F27FCDA878B392D14C013E9E7A5BB86C06D7EB1531C373D2A9B285C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:29.280{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B587480663C4AEA46F05BDCC5B38CA42,SHA256=831DE4FC37B8E8A402A6EC8890250EB69A2FF88ECC8F2D3C656E1487A34D03CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:25.823{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50529-false10.0.1.12-8000- 23542300x8000000000000000394346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:29.236{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFE38374426D65CA65858F3F681A5B9,SHA256=746287F6E7F1AC0C464BD3591368895253E9ED942E96765A987BF8AFA817C7ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:30.371{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55C4ED686D0F2C7D182CC4C278C9035,SHA256=01A409881A7E4856BDE5D8375E7557FBE8205E922BEC556BEF8E9894FCE4CD1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:30.343{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE2694D4AEE0BAB9BD474AEB1623F88,SHA256=C19823A8FD04D4B7EDB968562699BF887B1C52C492875B0ACFA2B482CF4AC627,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:29.643{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54163-false10.0.1.12-8000- 23542300x8000000000000000845248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:31.477{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A943EC2A34C61FB362A863AC7B24F9D7,SHA256=507CB9C66746ADC82D490CC6E0F0ACAAD22E16AC185B5E1542090EB11D562F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:31.431{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226FD9F0DA7889840FCA1728CA03C060,SHA256=1F2A853002ED94D14CACA05DCCC320C9FAAEAA64C0DB88C4D70791018C4258E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:32.585{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573FC6A52898A743C210E2CF100D4AFA,SHA256=549D7D7EDB0D0E451C866FE1133CD21450BDACFEE0A9AFE3769FA23F40077680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:32.534{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31AA118788C3AB6DEB6A1E4F297BCF4,SHA256=850E17DD5853231F8B55CA0DC224FB181D369DC62C0251BDC10F7D8325E81329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:33.667{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F622FB99D85FF61A2CEAC6954426FE0B,SHA256=DB91598BE3D16908F935890DFEAFAF49495011F797BC8309E9CCF036F643C26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:33.636{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EA7B454D52B34C56DCD9DFC53DBA50,SHA256=FADCEFF9E5025450DE94551BD3AFBBBB9D61316142EB854142472A1784ABF5AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:34.762{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC839AC7665BC9FDA1DB815F92D29944,SHA256=D6F882250189688AA8C2FB66FC39D6C3A98AF6B1985A719436D9FBABC02FC7EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:31.770{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50530-false10.0.1.12-8000- 23542300x8000000000000000394352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:34.834{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D4969A4E22BAA9F6A246CE7F23AB95,SHA256=579444EC46BBF7CEC833C57D423E726C64739041C5C82741E06DC5DBBCBD6CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:35.851{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9F47F9E778B682FEEFD8703D1EC900,SHA256=1C101D9EDEFD4AB4AD2D59E8C12DFB8B980283CDBAC4F8F20CE07196C8F83B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:35.927{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55417638BF911C8BC86BF27BEB295B5A,SHA256=04385E517BCCC2C63097CCDFF44142D2C2AE911B958A4F4B042594BD88FCD810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:36.941{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89C12C81BA555FE24B2395A5FE1D5F0,SHA256=99EAB9F38D71CB3C4BD78D921202DCB3F72618DD768FBB413C1E1AA42EAADDC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:36.387{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-067MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:34.671{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54164-false10.0.1.12-8000- 23542300x8000000000000000845257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:37.398{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-068MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:37.334{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DFBE42FF8A36878F1377550541938369,SHA256=0E5E36E4950D2E62D3558143ABE50FD156B1F50FF14BCB455E61D180D08CC02A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:37.201{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E1CFE82A53D7144C32F2ACD2C73936ED,SHA256=500AD260771068591A028D475A1E3B793CB9AB536AD75A90E6198A43AF834B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:37.008{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=492417F21D32837E353FDB2799AD9B52,SHA256=3E5EB8B56112577959ED8BCD671AEF25E253D09F2C5D2FE114A900B8CE3A5F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:38.112{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C13A66BB962A6817766BB6223532F8,SHA256=9C68A2AC842427CA1D4154D8DEE2987D4F8C5B68E8B7130B3DBCE2C186E1AFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:38.336{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3B0AAACB7EC4E908B9A2BF8797AEC656,SHA256=EFFA8FFA565892D88108FD8B29F97013E0F5A47D5D27B1FF6009962DA561BA01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:38.196{8A63456F-1471-6387-1600-000000009802}12805684C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:38.196{8A63456F-1471-6387-1600-000000009802}12805684C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000845259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:38.045{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7981F5F190C96A252BAB79FB53E416,SHA256=BD2732A2986C768D0363A06EC0AEC79C763C440FD86EE847F133AAF22CDAE77F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000845273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:39:39.663{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000845272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:39:39.663{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004034c4) 13241300x8000000000000000845271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:39:39.663{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90497-0x489cade6) 13241300x8000000000000000845270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:39:39.663{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049f-0xaa6115e6) 13241300x8000000000000000845269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:39:39.663{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a8-0x0c257de6) 13241300x8000000000000000845268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:39:39.663{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000845267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:39:39.663{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004034c4) 13241300x8000000000000000845266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:39:39.663{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90497-0x489cade6) 13241300x8000000000000000845265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:39:39.663{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049f-0xaa6115e6) 13241300x8000000000000000845264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:39:39.663{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a8-0x0c257de6) 23542300x8000000000000000845263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:39.025{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CAFA5E5B3C9CB53A3A6C8869E171D5,SHA256=9099E59E7A0A4DD07C3871641BD204214EA2B16896A509EBEC5BF4B4B1CC50CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:39.216{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BED1E5633576B8BB499E278E52A8B40,SHA256=5A462A05BB6044BC2DE89AB6E5144330B9FD8A84BCD044393F8B806B190224F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:40.313{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585EA59909180FD127BBC7A17AE0C153,SHA256=90F8F944E8627FF3CB762567E241C9E12BB87F171B4A9349BAC8707B61A7DED9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.750{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.744{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.734{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.728{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.719{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.716{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.712{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.703{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.692{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.688{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.686{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.684{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.637{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.627{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.599{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.580{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.555{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.540{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.522{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.499{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.476{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.465{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.456{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.406{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.398{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000845274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.122{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9249411B5E929B603B1818DB50C1B82,SHA256=CD20628D6799058058907099294D7C0D76C36BC1502C64DFDAEB08BCBC356E11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:36.971{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50531-false10.0.1.12-8000- 23542300x8000000000000000394361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:41.413{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5768DF0ACEE7A1F0677BC11563BE5D72,SHA256=289E4ED10F119E4EDB0759B6A1B82C2BCF88CAF4A55CC206BBCCE49544DEDA24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:41.906{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97cd2|C:\Windows\system32\kerberos.DLL+79ec8|C:\Windows\system32\kerberos.DLL+1453f|C:\Windows\system32\lsasrv.dll+2fbf1|C:\Windows\system32\lsasrv.dll+2dad6|C:\Windows\system32\lsasrv.dll+33369|C:\Windows\system32\lsasrv.dll+30cb7|C:\Windows\system32\lsasrv.dll+2fbf1|C:\Windows\system32\lsasrv.dll+17b1d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000845306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:41.906{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B9DC1906F17BDC3034228BE9DCB42F09,SHA256=C845F51B54AF98DDCFB6AF4C57B727B3A8F87FE05A5E6C87BFED8EB08D0B13EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:41.627{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E564565C440D61802980BE8442FB11,SHA256=F750B286F14CA99098C4826A5AAE4E6AB2796BD9BF6AADFBD1029C00EAEDC01A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:41.327{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:41.083{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:41.083{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:41.080{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:41.080{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000394362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:42.514{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD6A2D5C7594465CC52950692EAAB24,SHA256=AD0D0084FD6E88A6E0F419FAE3CCDCD3C00AE5B73021DBA8A08FE690D5BBDFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:42.995{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55E8DAE21EA28D0ED465E58A2BAFB5C3,SHA256=E92262E8BBDA40513C0F37B3084CF8BBE53482590F5054E38E8EE0457E66C6BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:42.910{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:42.908{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 354300x8000000000000000845319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:40.509{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54165-false10.0.1.12-8000- 23542300x8000000000000000845318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:42.344{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377CC2576BCBBE7AF9C706390195D9D5,SHA256=8BA144A9F16C5EF8CF5D60FAE8F6D8C3DC622BFAE08F6BD2AA97153D29D93B3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:42.110{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:42.110{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:42.110{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:42.110{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:42.103{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:42.103{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:42.103{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:42.103{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:42.087{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:42.087{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 354300x8000000000000000845342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:41.351{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54166-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000845341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:41.351{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54166-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local445microsoft-ds 10341000x8000000000000000845340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.552{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.537{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.525{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.522{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.489{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.477{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.463{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.456{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.453{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.449{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.445{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.441{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.436{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.434{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.430{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000845325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.429{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 23542300x8000000000000000845324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.412{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC75B56123A08EEFF9358DF199E9671,SHA256=03A84226F52F4FE23409945CF4E15A7FFB90647FAE9078747953013300C094C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.623{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.619{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.617{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.614{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.613{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.611{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.610{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.609{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.607{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.604{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.602{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.598{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.595{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 23542300x8000000000000000394379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.594{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88027C1BAB83F9BACACFDCE16161849A,SHA256=AFF22641B963874C75FB32776A7C3FD4C6DCBB710A06AAA8508C04751CB4DB2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.589{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.581{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.579{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.555{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.549{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.542{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.534{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.528{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.495{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.492{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.490{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.486{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.486{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.484{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.481{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:43.479{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000845323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:43.043{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000845343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:44.499{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36988F6000650B459ADCD327058EA22,SHA256=EE0F4E7C5499651C7B431CC6246CC96977CCC3AD1431FDA7E5BB9CFA0ECE64D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:44.590{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54B6D1EA41229C6BA92700607500E79,SHA256=F4D0930D6CE854F1C7E9BB9AA7EFD143C2E06159477CAB0B1714F9EBE6DEF3B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:45.608{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B8617BA3C1915F76CF89032CEC403E,SHA256=8F7805273A6BD91FC54C74632C1A4627AE524755AE10E68B25953E1272E11ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:45.676{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D704C853D1C3AFB76258719A20A7E3E6,SHA256=82C58C4F06CA79D27C3752663549003B50FEF49D2D0CF31BD4F2FA52589E7BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:46.709{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB96211AF2DFD0DD70CF90006774A0F,SHA256=B3A751DB16585817985C86ECFD669312ABDEBC17C41B400CBDD0B6153D5DD564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:46.762{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E738ACF27FE0CE86DAB5D2E24EF52A,SHA256=20AF149C71CB81F9DCEFD3475A6A482FC91E0C858336A3437F59BCAEC3300690,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:42.938{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50532-false10.0.1.12-8000- 10341000x8000000000000000394398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:46.244{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:46.244{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:46.244{E56ECBBF-146E-6387-0B00-000000009902}644536C:\Windows\system32\lsass.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:46.227{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000394402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:47.858{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEB3DBFD249D67F1F705443BAC8A7FC,SHA256=C823C948C9C1D24BA1E6FE9A33C7EA9E43C57D7F899C6BE24A4A28460119C68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:47.815{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCD972175E24E775D9F57EAE9FE8336,SHA256=1783CE88C18C22206989F97F230170C25D0A66B6BB03E07A2CC35A382B5D621A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:47.216{E56ECBBF-146F-6387-0D00-000000009902}8001736C:\Windows\system32\svchost.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000394403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:48.958{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502BEAFBAAFAB861F118AB81722951C2,SHA256=ED1747149D491D132FC4AC3EFA357B7B18519AB37A415904335494269A3C4E62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:46.503{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54167-false10.0.1.12-8000- 23542300x8000000000000000845347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:48.908{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5881FDA070EE18E832C9ECD0D0DBDE7,SHA256=313569837118EE26818FA4D4AF0694D15B8BB681B9DF040007170357CC3110EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.969{E56ECBBF-24E5-6387-8D02-000000009902}19241128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.962{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-24E5-6387-8D02-000000009902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000394422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.962{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-24E5-6387-8D02-000000009902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000394421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.962{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-24E5-6387-8D02-000000009902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000394420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.961{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-24E5-6387-8D02-000000009902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000394419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.961{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-24E5-6387-8D02-000000009902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000394418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.961{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-24E5-6387-8D02-000000009902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000394417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.795{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-24E5-6387-8D02-000000009902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.795{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.795{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.795{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.795{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.795{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.795{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.795{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.795{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.795{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.795{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-24E5-6387-8D02-000000009902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.795{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-24E5-6387-8D02-000000009902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.796{E56ECBBF-24E5-6387-8D02-000000009902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:49.779{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:50.014{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7C1AE89BB35FE642C6791306C6826B,SHA256=A0E8C91F288324075D4A674D01ADF811AD98F3678BE9D086AED34082DC20FB2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.931{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7290AE7C640C6679B39C85F524532199,SHA256=BA0B2C7A385408AA5840829C503CA99709AF24DC8C16144E5EED9419BC74380D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.477{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-24E6-6387-8E02-000000009902}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.477{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-24E6-6387-8E02-000000009902}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.477{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-24E6-6387-8E02-000000009902}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.478{E56ECBBF-24E6-6387-8E02-000000009902}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000394427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:47.961{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50533-false10.0.1.12-8000- 23542300x8000000000000000394426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.056{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1757AC18A43641B71355A585BDADAF,SHA256=684440294D2BDCEACBB3350477E72BC8A0692511464397CC3D58E4C0443743D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:50.056{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=380CDF6B81F1D4F10216BE5FEF99C64E,SHA256=6FFAE930D174AC6BA65EE8C92E249B857A7C5B26D7FCE02695F9C530468C8C14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:51.622{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F21561DDF395AAAF01EAF94A1C256434,SHA256=7E17FF11FBC6A1EDDD107375A4BB296B60A891993950AC446685938008CDF5F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:48.517{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50534-false10.0.1.12-8089- 10341000x8000000000000000394455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:51.106{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-24E7-6387-8F02-000000009902}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:51.106{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:51.106{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:51.106{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:51.106{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:51.106{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:51.106{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:51.106{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:51.106{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:51.106{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:51.106{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-24E7-6387-8F02-000000009902}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:51.106{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-24E7-6387-8F02-000000009902}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:51.109{E56ECBBF-24E7-6387-8F02-000000009902}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:51.038{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85521E6FF541D6FE9555E7BD466637CF,SHA256=DD4285BFCE56F6E065C23B0D91EFB9C10F6976826B0776183B964F653497BFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:51.114{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5BD5084038F68E0D9D10DBE67AC31B,SHA256=D6B733598B10A1A26A77880C64D5E56747412B7E6D849316966C5CF327F8B6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:52.147{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE279108CE61AA554665437870E36DC,SHA256=A6690B84BD79E8017C59057BBE19DB1A8FD8D377F30C957116CC71E2E4625139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:52.972{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:52.199{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19446D88148B81B7B962C72F6E057556,SHA256=198821EE9D8417D8E8CD1B47CAB5CA1A108B9EA91166F4A8CCB74E25641627C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:53.704{E56ECBBF-24E9-6387-9002-000000009902}13843056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:53.563{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-24E9-6387-9002-000000009902}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:53.563{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:53.563{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:53.563{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:53.563{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:53.563{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:53.563{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:53.563{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:53.563{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:53.563{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:53.563{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-24E9-6387-9002-000000009902}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:53.563{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-24E9-6387-9002-000000009902}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:53.564{E56ECBBF-24E9-6387-9002-000000009902}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:53.235{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C65BB771D9BDE7244A870A207B13C2,SHA256=7BDF5CE5DC0263C97409951B1FF67AB94274CC31FEC8EEA4C30DC3CC60723B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:53.725{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB69735AE843F65123599FA62861446C,SHA256=5A3428D266FF0E4AED4ABEA3BC846950015CE26580B0A3255C63DC06D4436D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:53.283{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320E243907A580B7CA1784235D692B0E,SHA256=306F4A7F2566EA9EA25C46A5879081D74851B64AA7C3962B0E43B91319724866,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.911{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-24EA-6387-9202-000000009902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.911{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.911{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.911{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.911{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.911{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.911{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.911{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.911{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.911{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.911{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-24EA-6387-9202-000000009902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.911{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-24EA-6387-9202-000000009902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.912{E56ECBBF-24EA-6387-9202-000000009902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000394488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.395{E56ECBBF-24EA-6387-9102-000000009902}26323680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000394487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.348{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6426F17D7E946DB306C0D0622ED558,SHA256=598D768539844C0EEB5C981472E35AE05DFE88D8B3050F188C3B285158CE0766,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.239{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-24EA-6387-9102-000000009902}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.239{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.239{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.239{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.239{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.239{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.239{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.239{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.239{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.239{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.239{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-24EA-6387-9102-000000009902}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.239{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-24EA-6387-9102-000000009902}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:54.240{E56ECBBF-24EA-6387-9102-000000009902}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000845356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:54.367{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB02B428D345B7C56853A96872A0FB8,SHA256=D05E50B24049EA375832AEEC9980CEA170788A6CDDC5B39F565D37EFF4B0F916,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:51.519{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54168-false10.0.1.12-8000- 10341000x8000000000000000394517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:55.786{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-24EB-6387-9302-000000009902}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:55.786{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:55.786{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:55.786{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:55.786{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:55.786{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:55.786{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:55.786{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:55.786{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:55.786{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:55.786{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-24EB-6387-9302-000000009902}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:55.786{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-24EB-6387-9302-000000009902}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:55.788{E56ECBBF-24EB-6387-9302-000000009902}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:55.786{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607183CDF1522CBE5A8686B51B281EBD,SHA256=55EACFFE1044BD6331C545E4AD240B20EB0E93F0D7F23102115809FDCACE0CC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:52.989{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50535-false10.0.1.12-8000- 23542300x8000000000000000845358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:55.466{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB8A3AE2F64E2A64AB293D2DD09BC4B,SHA256=6DE44CC3E2D90D22CB9FE80B65FEA98D8DE420FD58FB162DCA30F31E026188A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:55.114{E56ECBBF-24EA-6387-9202-000000009902}40043216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000845357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:52.401{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54169-false10.0.1.12-8089- 23542300x8000000000000000394519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:56.762{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB47EBAB4A95FD2DD73FF048AD60C756,SHA256=CAEDDAECB554D1F4809DDBB858CB340E0437EFB6A8B1A9E330E59ED13E057248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:56.568{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059FDEA8549A647254D594E9B61F1F45,SHA256=1EC0D57D580712B7E461E44684197EC1698022E35EBB48ED5F41285663D933B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:56.062{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8B74273E729F8894A82E4777F01F1B9,SHA256=98468127434EE1438C670F23DFD83ADD9A2AFF66688FE022E4D2AEDE09E962E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:57.871{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FC0467A11D79BE4AACEABFA3E9A125,SHA256=FDCC5292C18982B64C77D8041AF8304E9BA33F5DCEC7D1846DD04980C2DB56B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:57.684{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075D85B6E837A74C11BD7F93907B90EA,SHA256=880D69272428A14FD8D0F078834A48AD3325ECCA280EBC9180C569D36E8AF4AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:58.956{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227950DE7C714684BC473223F94499E0,SHA256=003A86F95E5F61F1F958AF506D6B3981A3557D928D37661EFBECD10E90760369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:58.780{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C37D8F3A7D03D66880E775A0CF2A9DC,SHA256=BE66457C1F9A4389D1FEAF18DB29FDEE3DAE13B2341B602E2B0B6F82180D6EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:59.875{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5081B6EB83178574E7BF0424CC060D,SHA256=7BDC5938FFFBA6F21D63D015EF3B675BE3B528F90D408714561107E0B3B59C97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:39:56.643{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54170-false10.0.1.12-8000- 23542300x8000000000000000845389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.922{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AF87B0869F8AC9C50CA5406487F738,SHA256=C2E9F120BC55FBC9CB20DFB4757169BF63397606D27A1007092AB8F73C3B5C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:00.045{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DACE0B47777740DF52927DBC0862F1,SHA256=729F28A476A545ACD4A7339850140E6CD8305210F626FA23204E29D4CE2C9FC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.644{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.639{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.625{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.622{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.612{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.609{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.606{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.598{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.587{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.583{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.579{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.576{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.523{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.512{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.496{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.491{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.482{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.472{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.462{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.449{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.442{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.433{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.421{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.382{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:00.379{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 23542300x8000000000000000845391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:01.980{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C2FB161758914D1DEA44AFF3BAEC69,SHA256=5BCDA5E2BB88CB8EF49CC1D82E4C7D78C94F4D9C60E0B7989062E4F49E61B3DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:39:58.758{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50536-false10.0.1.12-8000- 23542300x8000000000000000394523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:01.117{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8584AA6D6ABD5D951EE82CE71193ABBB,SHA256=19627B48D8FA279E1CB7A556AF2B0B13B39904E5335EA689DBB506BEDD36F8DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:01.165{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 23542300x8000000000000000394525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:02.233{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6D25B2CA58A0660547433C0143B299,SHA256=03509A81900544A89A2FC203731AE688339B8C86F78D12C4611CDF8C8ED094C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.661{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.659{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.657{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.655{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.654{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.652{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.651{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.650{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.647{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.644{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.643{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.638{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.633{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.627{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.621{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.619{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.605{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.597{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.589{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.582{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.574{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.547{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.537{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.531{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.515{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.504{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.495{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.488{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.485{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 23542300x8000000000000000394526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.346{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05806D91FF32EE40E664BE8AA2D8884B,SHA256=68721C3F1561DCB0CF6A38EE8E6B3D4587F503ED1DDDF08D6B1FD8200A616868,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.837{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.811{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.796{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.793{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.765{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.758{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.747{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.741{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.739{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.736{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.732{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.727{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.724{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.722{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.719{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.718{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.213{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000845393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.212{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 23542300x8000000000000000845392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:03.067{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09872054229E33708DD02FFC72D4F63B,SHA256=D5F06C048301AB8ECB75908BB600E68D0E53FD9C2A85B5400370EC7EDD559427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:04.483{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E13601FB1D5769E3C470A3B8F961339,SHA256=9414E48DA0EF32F1DDAFC3EFEDDD424639D24A0CF9283D6542F8C498EB967F0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:04.878{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-24F4-6387-C002-000000009802}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:04.878{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:04.878{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:04.878{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:04.878{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:04.878{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-24F4-6387-C002-000000009802}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:04.878{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-24F4-6387-C002-000000009802}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:04.879{8A63456F-24F4-6387-C002-000000009802}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000845411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:04.154{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FEA5BB15025BE9C193DF74BD982F947,SHA256=9CC5CA476DAE5174B46A80EAC5C2038B7003FE546FBE4E751AAEF4BDBCE50291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:05.529{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBBA2CB75CEEEF8D08BCB8599567766,SHA256=518F3BAE5021C01A669143EDA98033790C29F5C997C9DFD3690B2B666E8959CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.912{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D3A895F991D8CE27D4E39D49F99CCBC,SHA256=8348586A43DC8186011FCC0C6BA4879845A26188794DD081E23746D92E6C09AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.594{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-24F5-6387-C102-000000009802}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.594{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-24F5-6387-C102-000000009802}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.593{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-24F5-6387-C102-000000009802}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000845430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.583{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2F0DD33411FBCD201FB5E9A79675AD21,SHA256=F7428451917002EB5B417F40E995B60C473779267690117A69778399574AE705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.494{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-24F5-6387-C102-000000009802}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.494{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.494{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.494{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.494{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.494{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-24F5-6387-C102-000000009802}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.494{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-24F5-6387-C102-000000009802}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.495{8A63456F-24F5-6387-C102-000000009802}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000845421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.259{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D054FDE9758B3C38EA43228C62B2C8F3,SHA256=ED6E357416317CBE1C3256F1AB2293A1FFD46BA3FEB31C7C01AD1E0008E42306,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:02.578{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54171-false10.0.1.12-8000- 354300x8000000000000000394559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:03.942{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50537-false10.0.1.12-8000- 23542300x8000000000000000394558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:06.625{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57B2118109E02D7D434EAD51BD01D4C,SHA256=E1A0193F2DFBA9CF1DA3C9AD64EF52858A002B58AB48208C678FB3F82732DC13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:06.371{8A63456F-24F6-6387-C202-000000009802}536380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000845443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:06.246{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BFDD8F73EB3FAE3C0DAC2250475DB15,SHA256=62A21823BF7605546A4488ECFE388632A77BC0EEBC35A75264B1A4D7758AA040,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:06.152{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-24F6-6387-C202-000000009802}536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:06.152{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:06.152{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:06.152{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:06.152{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:06.152{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-24F6-6387-C202-000000009802}536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:06.152{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-24F6-6387-C202-000000009802}536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:06.153{8A63456F-24F6-6387-C202-000000009802}536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:07.722{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC40ACF40A957A8EDFE24FAEEC4EE713,SHA256=77385854AF8753469C564E9D755755EA56B03FE814D8A5186497A76EF01C6935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:07.527{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1EF1A04FD5956A3374EAF8D8ECF14926,SHA256=16257C0A0910C090AD3521E5E70FE072A73CD8B2E94F90E359E61CEA62F69293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:07.324{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1403DE197A756CA0D54C058A986C926C,SHA256=0BF932135BFF919DB4CC0479C81BA895E79F025B8D2B71EBD966445780E2D203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:08.821{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE9E1F7B015E868EA7A129CE76758EC,SHA256=522BE914E5FBD8712F8D51D5E994B523FE695AAABF2E35C23D7061FB5FF0E913,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.663{8A63456F-24F8-6387-C302-000000009802}25485812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.570{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-24F8-6387-C302-000000009802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.570{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-24F8-6387-C302-000000009802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.570{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-24F8-6387-C302-000000009802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.568{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-24F8-6387-C302-000000009802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.564{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-24F8-6387-C302-000000009802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.564{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-24F8-6387-C302-000000009802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.427{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-24F8-6387-C302-000000009802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.427{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.427{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.427{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.427{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.427{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-24F8-6387-C302-000000009802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.427{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-24F8-6387-C302-000000009802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.428{8A63456F-24F8-6387-C302-000000009802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000845449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:08.396{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AFA94ABBEFFB6E480A471F5F4C94C7,SHA256=127ED98443FEBC7649468D4221A148A99322589AE200BBBCE59625937236B6D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.846{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54172-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000845447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:05.846{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54172-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 23542300x8000000000000000394562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:09.920{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CDE0CB6D881938D86A12199F5409D8,SHA256=F180E4D00426364B9576C6D346FC75F9812B23929004FFA26B43D8AD059EF95B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.812{8A63456F-24F9-6387-C502-000000009802}19882920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.625{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-24F9-6387-C502-000000009802}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.625{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.625{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.625{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.625{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-24F9-6387-C502-000000009802}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.625{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.625{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-24F9-6387-C502-000000009802}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.629{8A63456F-24F9-6387-C502-000000009802}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000845474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.625{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D930541136A7A199835D045E0733129,SHA256=00C0397FAFCF61D015B330835DE45B86388FB694AA8559EC1B6231FB90AB5FB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.278{8A63456F-24F9-6387-C402-000000009802}58445712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.106{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-24F9-6387-C402-000000009802}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.106{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.106{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.106{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.106{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.106{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-24F9-6387-C402-000000009802}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.106{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-24F9-6387-C402-000000009802}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:09.107{8A63456F-24F9-6387-C402-000000009802}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000845485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:10.710{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC3BF39D76E608D9FBBE3C11B3F4036,SHA256=895D675C975576231FC290ED1F72493173E3AD1DF89C392BD41EDADFE994BE21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:07.591{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54173-false10.0.1.12-8000- 23542300x8000000000000000845494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:11.795{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E69B4A24747AC779C4AE044EFE1AAD,SHA256=D612EDF11687CA457BE229FA1B2B6024E5372EDBBB33F985E6E531BE9D802615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:11.748{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-24FB-6387-C602-000000009802}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:11.748{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-24FB-6387-C602-000000009802}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:11.748{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:11.748{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:11.748{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:11.748{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:11.748{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-24FB-6387-C602-000000009802}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:11.749{8A63456F-24FB-6387-C602-000000009802}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:11.015{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C24586C0C4575B1E6882B3F5C0102FB,SHA256=FCB6D6E544A451D1C92738E614BF78D3C999F0D03FFC27A3F5E7AE17CE8FCB53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:12.776{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30E22D3251DE2C80B2FD4B228143BAA,SHA256=69B470C7A11E68AE6F2FDF4B8025AC28FE1BC5E8AD9A757A613E98FD5E613798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:12.755{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68783B56177862A586E2C6885226A8A3,SHA256=88B1BC02223D7421B28F9D0C5FFD0871C5C567B304D5F50A7BACDBC26180D846,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:09.882{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50538-false10.0.1.12-8000- 23542300x8000000000000000394564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:12.106{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3734A643D0B3674DF4E58F8B233CBD03,SHA256=9C359C8AD9E2396E13C6BEB9A9B4C8478B4BF8E43BA7E939BA92C8894E68BCF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:13.859{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B11431F233B9BAC8FBBB44007212AB,SHA256=3DC3F05CA50DDD1FA6A6D2885B9C7E92F0D2F1CBE664770491E797EB3D4FCC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:13.199{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE3884875BACEB1C0CE6871DB95EF05,SHA256=68CFFEB05CF45547CAFC241C0FD46BE1CADB06A9AC3890BA424151806A14C6C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:14.960{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF28501C778736776F3A00769D4E8849,SHA256=B70CCEA44508305CEF231CF6A091015F1E7A59645F3BA195A1B66B27B3EFDCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:14.299{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5D0583C892F4CB042ED6E548FCD03C,SHA256=CBFA26BCEBD87BAE19ACA13F7C42A2377E7D8A162BA38A21FA0EFD959FF3AB9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:15.382{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF46076AC760A071DC559762CE2ED28,SHA256=8DF3154535602D3309E28D11F8F0020C6732753BD5B5001A5EFCB3201097C97E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:12.672{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54174-false10.0.1.12-8000- 23542300x8000000000000000394569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:16.460{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B87DCBC24F58A6AED9C56EEE67C7B990,SHA256=33F776B2ED23D6D148EEF016CD3F78570B5AAD08C76CC3E71B0C60BB871E69B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:16.058{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A1EEE82CAF2EC15A77B692E006DFEF,SHA256=A29FD3B7B180BF2F9ECA0523C95124EBEBAA090EE3666B641F38E39E922BE6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:17.563{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1015EB054F4DAACE6024A8CC6FD84A,SHA256=EDF775222860E8C35B0EBE37DDAD21F4DE43FF46DFB26CD56D1D47EE21750908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:17.166{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8E185866439B12BC9EAE2D9D042773,SHA256=1ED397AC8043B239EC979D7E8A6A8271796C4AD275E4E0BB57DCB4DAF9895580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:18.665{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A65F2E2F25BEFD08C84AB835F484D5,SHA256=57FB7DBA6EE85766052688E536D1F38080EB91232EA69B6DC6721B835E94FBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:18.256{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B1B211C6A1B38A22D3AC7081A0C8CB,SHA256=031DA43CF04612956ADC5B268618EECC91DACA53ABB32CEC90E7B3895C4D8E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:19.763{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D48C4683479B53A591DAD587AAFE99,SHA256=6C5604DE56A009952A3F8BAD0A5C0A67BA7EB0E9382F35C0CE43A3BC8238EFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:19.351{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C2BF341A90EBE944F25A9715210876,SHA256=EC9E2D6D0599D31FF231F5BD9841AA9E57B7FAA9395BBEE33AE8B80CCDA41873,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:15.826{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50539-false10.0.1.12-8000- 23542300x8000000000000000394574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:20.855{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4316E057569DAFEC267C5B1BB4F77D27,SHA256=C15B5F79AA32BAA8D1D1B75DCA4AD21E7E6EF7ADA0762DEDDEB3BF7A92C7C906,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.630{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.625{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.615{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.613{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 354300x8000000000000000845526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:18.561{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54175-false10.0.1.12-8000- 10341000x8000000000000000845525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.596{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.594{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.591{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.584{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.575{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.571{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.568{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.565{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.534{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.527{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.512{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.505{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.497{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.485{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.475{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.459{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.448{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 23542300x8000000000000000845508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.439{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB9E7459E875E0B2996202515D33C456,SHA256=0F78DE4A0A33E56B9B52C4DE0DE75C9C94D6052395049A8EF80433B434364412,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.436{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.427{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.386{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:20.382{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 23542300x8000000000000000394576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:21.968{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1FB167B995E59CE7B429E840B50C87,SHA256=1808C64F4206CB2A55FF7ED6C440B1C622991C52AE6D243185F11D9EE8044349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:21.830{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652325A5BF6627F483A880AED3F00BDD,SHA256=CA01B5343F963DC75845510EEDAEA055E1C94D6D5C4CFA2942330CF95A0C9CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:21.827{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=232ED68CC199206EADDDE14C45A7D204,SHA256=7F7B0E7401A63B2152D6737C8308EC70B2BE95E029D681D12A39EAF3045A7ED4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:21.177{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 23542300x8000000000000000845533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:22.904{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05162A5793D31504220199113AB4839,SHA256=8A5662DBDA7F6EF0323F3BCEA1F4C724C21D829D9DC4A07AC38037F209542CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.971{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E62D95478482A52DD260146704449F6,SHA256=10A4C27A7BCA46A20C61ED0B50E39B44281517A3647D636C2484D89C3D67C3D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.680{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.675{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.673{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.671{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.670{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.668{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.667{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.666{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.664{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.656{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.655{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.650{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.644{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.638{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.631{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.628{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.601{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.590{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.581{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.570{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.564{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.533{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.519{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.513{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.506{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.499{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.492{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.484{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.480{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 23542300x8000000000000000394578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.235{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-068MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:23.077{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=501C3DF002D77752E969C612BB390975,SHA256=014890DD08E96EF54B53FE161A824D393836AFD8662610281FA14615E0CAFED8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000845556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:40:23.904{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\1DB41A76-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_1DB41A76-0000-0000-0000-100000000000.XML 13241300x8000000000000000845555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:40:23.904{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77\Config SourceDWORD (0x00000001) 13241300x8000000000000000845554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:40:23.904{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77.XML 10341000x8000000000000000845553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.888{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.888{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.828{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.814{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.790{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.788{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.764{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.758{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.749{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.744{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.742{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.739{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.736{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.734{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.731{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.729{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.726{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.725{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.214{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000845534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.213{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 23542300x8000000000000000394610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:24.515{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5360B4751C1DC807B93D097A0BCDA224,SHA256=A4A03390B30F07FC04E82A52E3DD0A68499ADE8B1C7BD2386870473F081C58D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:24.242{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-069MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:20.835{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50540-false10.0.1.12-8000- 10341000x8000000000000000845618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.733{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.733{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.733{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.671{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000394611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:25.264{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7CF61CFF7D665FB7EFC5D9086CD10F,SHA256=E2F241088F75EDA67FA884621BC150507090263B8023D27FE9B2F9D6474CCB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:25.913{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABBE9F735296F78E9E169C20130C5677,SHA256=97E0B1093D4A86645805C1E9CA81BBE06744D93E324B67259F77369CA5674528,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.336{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54176-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 354300x8000000000000000845626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:23.336{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54176-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 10341000x8000000000000000845625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:25.747{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:25.747{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:25.575{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:25.575{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:25.575{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000845620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:25.137{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8216AEF7926B52DAAFDC17EE09DC57,SHA256=204B433F5F3EF4BEFBBA8C99DDCEC644327DEA9964A099CBCAE5FF9D8462CC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:25.137{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55920374B8862A2548B25EA94AB103FD,SHA256=D5E5548AE93F00216BF6CA05C6371439C4295B4A216FB6D255E3E951C8E71C63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:26.334{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44AD356246B55B0BED9C8B2346231BB5,SHA256=121321017AAB46E0EE38FB23D1EC789F15C70ABEABB1F1A5D25CD66884962192,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:25.019{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54179-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000845633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:25.019{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54179-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000845632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.503{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54178-false10.0.1.12-8000- 354300x8000000000000000845631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.177{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54177-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000845630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:24.177{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54177-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 23542300x8000000000000000845629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:26.221{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C73D6018A8FC3A5388CD1C30B44B07,SHA256=04EBBABE13949E7B8FBC46DE4A7FEB1CF714563E987E34C3A266CF39D5CED364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:27.441{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B98AEFDE765E453C4808815EC90DFD,SHA256=941FB62A23610DEFB16E6CA8F084F283EC424A216E5F8F6B04B16F05B06E80C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:27.329{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B9D1E66DF92CB3D6DEE6323936AC1D,SHA256=AA6C4B9C3983E21748FADDB5554FFAE9AE8395A9248BE166CCC6BC2C5B406916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:28.531{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1388726CC99C4C513D1573343FCD645E,SHA256=C9EF1695075574514C8B4A9C4CD09EA6FA40FF3192A434C73CEFDDFC11C1F8A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:28.412{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C5002AD870F4B120CEC2B2FC141E4A,SHA256=05D591A7E3DADEC73C6AA48289B9626D190C1562E3678E087FE63674AB46CEE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:29.635{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCED18EDF8D92E5FD1B79F481D355FA6,SHA256=40A1144C30080D9336EC75CA88DBF3E75C7F78E5B538687082940AF2ADFF475A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:29.517{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014B3568017597A98312F644CA6BAD5D,SHA256=B1F0C7D038FD81CD1EC26FB6D4D6C9704977C7C80BCFC721011784FFBC6AD4A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:26.003{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50541-false10.0.1.12-8000- 23542300x8000000000000000845638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:30.600{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AD81A734891BBF2D6FC032CC8047C0,SHA256=F53F1DDB5EEF771875DBF3140AC1437D00687712FA035FC523ABDA4B530CD1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:30.730{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD306D1DBBC59AE845043050A053F5A,SHA256=23AD2BF4D1DA95661ACBF061149D6AE9DB03FCF1627CBA03C2909BB936C66B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:31.810{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3144C315A81329551BC7F961245E8762,SHA256=913CDD7521E0C93D669F080931E08375DEA55F577B2427E394755CDBA1B4E59C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:29.638{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54180-false10.0.1.12-8000- 23542300x8000000000000000845639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:31.699{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D41F31B4968F933C399A12ACDB6596C,SHA256=92E22A71668F054C0C46B894E871906CF0D2211D9AA721A41EFA2F6B80B809E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:32.909{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B48F42B00363085A36BE59CFED992DD,SHA256=566449C582078D28F70E456AC5AED5BDDC383DA320380EE5B07259E58B586D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:32.793{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4287A6D36D7D295FFEBA36123206CFE,SHA256=595C5F1A08D0CB1443632B7AF9DA2C9983D9AC6425BE58A259A3617223CE3EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:33.865{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5EA6A24CBD26E7A92C4B6DAC3B3420A,SHA256=2EC63077204AEF9199BD145C9E050BF2FA5AF93DC28158ADC0C85EDCB573B90E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:34.955{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422555BE6ECB29773D505C7D123FA441,SHA256=08AB6A204F091CD427244F56D773498015DDC1228DB37FDA89226AC5193DFEAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:34.025{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F12D0E2BFA4A9EE637344BA4D2233A,SHA256=41FE4EB1A19A766DA319B03744E55B8E075923BA38B0451A583B89007BBFA822,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:31.867{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50542-false10.0.1.12-8000- 23542300x8000000000000000394621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:35.109{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8701FA9D21DB5306BF72C17C6B70B4E9,SHA256=4857355EB3141C2C2A8AF485A063DA5FBA94A832E353CD15EBA1555CA806923C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:36.214{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E386A5CEA46E292C18A3BCC62ADAFCA4,SHA256=32E12FFBDAC71167EBE85521643BF82B79991C3FB25E6BFB5A114AAD072D7492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:36.050{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC3B2D3AFCCF9554D3DF84054C72C32,SHA256=D5A168AF463A44A56EFED6EE584326773EDF32753B2DCD5B559FFB81FFFD5E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:37.312{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79892BF9913FFBE581E4881B89137154,SHA256=42FBAF15B5CD8D59F53D344914EEC9F7836BEDFFC55ACA76EC9AEEDE4AF00C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:37.913{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-068MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:37.582{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6114D437D3F05C6E99CEBA5398C28EDC,SHA256=5F231B231FE3DD46D08CEE11F387E0118C6130F15519AEE678A6F2EE6556DBA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:37.392{8A63456F-245D-6387-AE02-000000009802}5168ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=15C7F0F6CC50A53FCC2134D413960FCF,SHA256=4B1A2E2EEF5184CF780026E8E13072A8E42205C944802A139C58F39FF7758B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:37.163{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6043D47B4005E1FF891EEF176EDDDD,SHA256=815DAC3F5C1EB91771AC081D6A7194892C46E41EFDE9FB347920D1207497EC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:37.202{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E2C640D50F45C7808F8756A812A85A8D,SHA256=0AB1D830DE647719CC72435055A3829638CDB18DA163D73876882833576C9E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:38.414{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8157A18431B921EA528BE739A513D55,SHA256=298B26000438D689335A62FF20AE245576C3DDDC7657AC017CADE17FC1E8F5CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:38.919{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-069MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:38.339{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7E80B7FEF98B531FC8CA6829D2859596,SHA256=2C58512EE133D064633CA42C7BF56B4B27AAB98923A84855E1A47ACBEF659808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:38.276{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFF244278DE24A41F3F4EFF5C4B0CF9,SHA256=5AB6BB72E33C9F52DBE710AF5C855293CE15B95ECEAFB76B4CC63DEBA886A19F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:35.556{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54181-false10.0.1.12-8000- 23542300x8000000000000000394627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:39.525{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BEC9257E5EE41FD7E9882E5705B88D,SHA256=0942EC5211D290E35E132F4B354C84A699734B7E273ED04D2554F35F2F533476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:39.350{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70B5C058C684616E02DF0EEB134F9D7,SHA256=55CC295CB402285D2EE513396670FC9D0287A106BADD3854FFD434168AD18DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:40.634{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDEF40D38BFF883EADC12AA70F6C1AD5,SHA256=35D2A871F5F1D51241F54E85800832D805519DF0A9BCBE6A730463F49E1EE4F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.641{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.637{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.628{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.623{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.616{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.614{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.611{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.605{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.597{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.593{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.591{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.589{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.556{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.549{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.534{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.528{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.515{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.502{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.490{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.477{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.461{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000845658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.453{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8408927BB24452CFE49235C866611B,SHA256=34987737C4481F1188D17D84F04C635642791BD822B3AAC8FF1E0CF7EF9BC001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.451{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.440{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.393{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000845654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:40.387{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 354300x8000000000000000394628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:37.830{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50543-false10.0.1.12-8000- 23542300x8000000000000000394630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:41.727{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F781861EB928B9B54CCCABB944CDB71,SHA256=A3F6A82EB5F9DD50ED0B266EF81C77F9FF806A5DFEE88D59946417CCC4FEEB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:41.868{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95087840F7596AE9CAA711430B2B7609,SHA256=FD0CBD94B845941EB42B834FCCCC5F998AAC0B4CFA293E16F896CF41F0C62B53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:41.268{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:41.268{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:41.268{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:41.268{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:41.268{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:41.267{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:41.267{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:41.267{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:41.266{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:41.264{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:41.264{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:41.163{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 23542300x8000000000000000845693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:42.939{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=664E73A5D6791BADE0EEC20E08A4ED7A,SHA256=54ECC2733600DC01254C336217A1D95A7DBF42951C8A2E68165A5D9286A5FEB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:42.813{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37E1750117A45937349AA249EB09755,SHA256=2574E79E9A132233FA1C9AA23E6E4EF147B020EEC5622B6E545709161900BFB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.868{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.846{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.823{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.819{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.774{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.765{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.752{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.746{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.743{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.740{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.736{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.730{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.727{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.725{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.721{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.720{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.204{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.202{8A63456F-2424-6387-9602-000000009802}47842924C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980610) 10341000x8000000000000000845697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.056{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.056{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.056{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.042{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.668{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.664{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.662{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.660{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.659{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.653{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.652{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.651{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.649{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.646{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.645{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.641{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.638{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.630{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.624{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.622{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.607{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.597{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.591{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.585{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.578{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.544{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.533{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.518{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.509{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.501{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.499{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000394633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.495{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:43.488{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 23542300x8000000000000000394661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:44.156{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312374094DD13E835F9202CA005F019C,SHA256=44D54C7B92A539B755D5EC7696EF1B68A73DA79A102F3489A67BEEAE7D50F238,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:44.565{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97cd2|C:\Windows\system32\kerberos.DLL+79ec8|C:\Windows\system32\kerberos.DLL+1453f|C:\Windows\system32\lsasrv.dll+2fbf1|C:\Windows\system32\lsasrv.dll+2dad6|C:\Windows\system32\lsasrv.dll+33369|C:\Windows\system32\lsasrv.dll+30cb7|C:\Windows\system32\lsasrv.dll+2fbf1|C:\Windows\system32\lsasrv.dll+17b1d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000845719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:44.466{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:44.450{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000845717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:41.520{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54182-false10.0.1.12-8000- 23542300x8000000000000000845716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:44.026{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756172825CCCA9C87517B9A68011A0A7,SHA256=6086502D18E75F80C88C3827C3919BEE1A5339B8C124607941EAE3670A3F68C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:45.482{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B089FEBA6FD896A9EDE01BCCE742743C,SHA256=F6319EB48976B26E9C2A9DB0FA99293657E65FA74BEA3B04BBD4A92AA32F33A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:45.132{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81EE92E182125E1CBA8A9AE7A3BC3A9C,SHA256=2B6988AA20EA51FA6D86467376DB24991D085AD5A0E86AC717192009EEC10AD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:42.999{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50544-false10.0.1.12-8000- 23542300x8000000000000000394662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:45.240{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A81455097D927277A603BAAAEC96108,SHA256=4CEEACE220445C960A0B7F73BE3FC0CA8D73A2D193EAE6BDFC57702EA44CDBBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:46.222{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE07383A6FD77A8FDD7197489C5B5B2A,SHA256=303320BCF98C8F225ACF702AB817C65FFDAD4AB02CF7FFE0FA143AFDE7F8B044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:46.310{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D6438E6C8EA98B307829D436FCE4E4,SHA256=1F457A53B6CF39F979BC7687BB40AA9EE85E33B0C5AEFDA27154B21DFA238B72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:44.014{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54185-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000845727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:44.014{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54185-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000845726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.914{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54184-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000845725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.914{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54184-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000845724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.902{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54183-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000845723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:43.902{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54183-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local389ldap 10341000x8000000000000000394667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:46.240{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:46.240{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:46.240{E56ECBBF-146E-6387-0B00-000000009902}644536C:\Windows\system32\lsass.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:46.226{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000845730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:47.330{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D71FBECE8ECADBCE11B2A5664F701D,SHA256=5EC31246B6A4E4FE3C5E9E83DCD4BF89ABA84AA2FE84643D485E5A8DD6B2A285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:47.416{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A85B7EA3C6B0B0F878DCAAE18E0AD74,SHA256=571C068A6657890A252DB9BC866688E88D8A421B30D6F1A8A7164CD68F641DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:48.427{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC27EC2DDDF69101902306EE394E177,SHA256=5DCE18704E3EAB1DEE0AEB5749BA2DB55B1E0AF6EF5AE08A54930B5A9B292DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:48.511{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E88CE51BDCBAB29330F5F2F138D9A7,SHA256=640E5F453D98C1F772C2A17C7634090B191556A5C22A16CFE35A5C97A6F03333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:49.800{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:49.769{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2521-6387-9402-000000009902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:49.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:49.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:49.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:49.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:49.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:49.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:49.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:49.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:49.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:49.769{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-2521-6387-9402-000000009902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:49.769{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2521-6387-9402-000000009902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:49.770{E56ECBBF-2521-6387-9402-000000009902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:49.612{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0075A9D3E758D688AFD9025E3BA5E8D,SHA256=0877E3DE4930EEF502803EDF1080106B51C71096CB07ED109146F0B03176688E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:49.519{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F148744E2483B8DCC8FA80DA1CF8B5,SHA256=59E5A5C73860896E1D192999EEE3C2C33AD877403BE665651F658775F1E1B3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.888{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37215FDE86643F037CDAB5FFBB52F11,SHA256=37CE6069564F136C4319E6ACD58EB8FF77B7FE8F937699790C57460953CD695B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.888{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D501DD1FC0BE9FAB7E879E757CAB4C8,SHA256=ED3C6C9A11A7B1406378C2F62CFEF72A273B74755280C823F74A45E61911F64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:50.604{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5C2018466F6CAACB02E9A410112AF2,SHA256=07EEA1501FD7802D0C17C695D178A33029052BB470C503959582E334A2E3BD1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.591{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CA0C845D169B0E7A7D3A02639CA0B5A4,SHA256=36573BFD1F84224BB59C858B9827FA792B11796AE0BA3F938A820B96CA034EE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.530{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2522-6387-9502-000000009902}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000394704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.530{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2522-6387-9502-000000009902}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000394703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.530{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2522-6387-9502-000000009902}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000394702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.529{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2522-6387-9502-000000009902}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000394701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.529{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2522-6387-9502-000000009902}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000394700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.528{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2522-6387-9502-000000009902}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000394699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.446{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2522-6387-9502-000000009902}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.446{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.446{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.446{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.446{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.446{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.446{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.446{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.446{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.446{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.446{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-2522-6387-9502-000000009902}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.446{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2522-6387-9502-000000009902}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.447{E56ECBBF-2522-6387-9502-000000009902}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000394686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:50.005{E56ECBBF-2521-6387-9402-000000009902}3212980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000845733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:47.513{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54186-false10.0.1.12-8000- 23542300x8000000000000000394722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:51.923{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E307150DB8277A33D866D45DB47EE1B7,SHA256=6D83C5CF436BAA0AA835B4BF15F668A79AD6B05C497CE2614A3E534A686BA9D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:51.696{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C9765A0358A075A2F9608B3CD71705,SHA256=BE4282C8690581B9D3FEEBADEAFF371B93D2744274400BBBD589938B9D0F3ABD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:51.116{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2523-6387-9602-000000009902}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:51.116{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:51.116{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:51.116{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:51.116{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:51.116{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:51.116{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:51.116{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:51.116{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:51.116{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:51.116{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-2523-6387-9602-000000009902}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:51.116{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2523-6387-9602-000000009902}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:51.116{E56ECBBF-2523-6387-9602-000000009902}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000845737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:52.986{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:52.791{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36F7084BD4BB42A472B378C2BE669EB,SHA256=ECCB1612D237D61A2A625B432540EE036B75B0EC3DB2EE4A12F58C3B59D240AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:52.034{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D0DCFCE1840D30C5C10774F09AEC09D5,SHA256=0E018BA7A287B269A52AEAB2D7E9B5913684A4309200F4FCB6DC476394B3BA12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:48.992{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50546-false10.0.1.12-8000- 354300x8000000000000000394723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:48.534{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50545-false10.0.1.12-8089- 23542300x8000000000000000845738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:53.871{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C41B737F1FEF8A76E3A63A4DC91BFA,SHA256=B9C356B1ADCFFF16060C8BD511D722305EC4368FAC4FFAA8F824D52DD331C721,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:53.736{E56ECBBF-2525-6387-9702-000000009902}33601900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:53.569{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2525-6387-9702-000000009902}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:53.566{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:53.566{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:53.566{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:53.566{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:53.566{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:53.566{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:53.566{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:53.566{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:53.566{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:53.566{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2525-6387-9702-000000009902}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:53.565{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2525-6387-9702-000000009902}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:53.565{E56ECBBF-2525-6387-9702-000000009902}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:53.127{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9D11D45DBFC5077BC97268A117A473,SHA256=2282B3CCE6FEE4C4583D3E1ADCC923595297945D91BF6DC03FA73A1DED3F7C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:54.936{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=053A037A47224B55B5C3E7B24E064F62,SHA256=790C34C2FD43330FCC231806932ABDD40FE28FC80E3F26C448C982EB534D3717,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.919{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2526-6387-9902-000000009902}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.919{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.919{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.919{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.919{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.919{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.919{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.919{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.919{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.919{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.919{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2526-6387-9902-000000009902}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.919{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2526-6387-9902-000000009902}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.920{E56ECBBF-2526-6387-9902-000000009902}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000394755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.585{E56ECBBF-2526-6387-9802-000000009902}26041008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.241{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2526-6387-9802-000000009902}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.241{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.241{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.241{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.241{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.241{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.241{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.241{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.241{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.241{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.241{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2526-6387-9802-000000009902}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.241{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2526-6387-9802-000000009902}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.242{E56ECBBF-2526-6387-9802-000000009902}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.225{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE26A1F3FDFD60E7C572EDABD661BDB,SHA256=09F787307430D57F2631007BD9AD6A3B66A41C8D308BA0EC265360B7C775F7F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.940{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FF035999E09BDFEB72A594D0426BD2C,SHA256=E0C54F21084EDC35CC97F1D4F4941FC26B4DE92FEF2F6184403A8E3ED7A5DC71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.753{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2527-6387-9A02-000000009902}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.753{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2527-6387-9A02-000000009902}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.753{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2527-6387-9A02-000000009902}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.755{E56ECBBF-2527-6387-9A02-000000009902}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.753{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA732087BDC0D9F8BCFCEFD8D4D1E6A,SHA256=A15DD55C1996830C4C8083539DF1A5E0F6176797168A4F3B07FA0605F3CA0C8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:52.627{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54188-false10.0.1.12-8000- 354300x8000000000000000845740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:52.416{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54187-false10.0.1.12-8089- 10341000x8000000000000000394769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:55.081{E56ECBBF-2526-6387-9902-000000009902}39242548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000394785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:56.807{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16EB75C8C333B956E60AE953DA6166A,SHA256=7843361B54741372C3D9D2E0691122ABDF0C1B69CE40D47C2EBA30A526B0F6CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:56.445{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89369C2512E9A2D9CB9BAFBB4717AF93,SHA256=B70577CDDDFBC85C9693AB1AC0F6A40DCA5AAC18A0722AFDF182B4C7AB4CD116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:56.039{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03F86E90A6350162EF8695AC7F93F84,SHA256=391C2781FA6BD5494F34C9D3AB239BA692B26DB8A2DFEEA98F5B6A838DC6EFA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:57.921{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398A7CA7AA6504F0272B25DB3714160B,SHA256=A668DA14266022FF1635364921B8C8D746C22099EBA379AB97A885C412D5A640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:57.145{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524B1AB6CE0D82867659B0061D8F056A,SHA256=30DA666A43294EC7D730CACEE96261AD53CF7EC0C6918527E40CBB52B83C9F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:58.239{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99333AB9742C500C3D3ADD8A63BD324F,SHA256=FC3D2877AC989C9EA09F6AA716EC7BF741B9DB16EAD1E3ECA5C33850B91DB10B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:54.928{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50547-false10.0.1.12-8000- 10341000x8000000000000000845751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:59.927{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:59.927{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:59.925{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:59.925{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000845747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:59.331{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4A0A8C3D527BCB52A6E44E4D5B4B4C,SHA256=38F7C5BE24C6304B2F0ABD9D38ADBA094973313845FAB82F39E64A0E92B11A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:40:59.005{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A6AEABCDCF6136925A1701F9B0FBF0,SHA256=2F65C59379CC0E6FDC647C517282D3027ED34B2AE3C98200DAE2BE6E9BB4A788,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:57.153{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 10341000x8000000000000000845778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.646{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.641{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.633{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.630{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.621{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.618{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.616{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.609{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.599{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.596{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.593{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.591{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.560{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.554{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.541{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.536{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.529{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.522{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.513{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.498{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.485{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.468{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.452{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 23542300x8000000000000000845755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.406{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17594DA4CA634EC1B5970F19F77CF035,SHA256=9AF11975616D30B742AB2D13FF7085E999F00E8021E16159E4894082290538CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.394{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:00.388{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 23542300x8000000000000000394789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:00.098{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7045A64D199BB19276F3CDFBCB8B9C,SHA256=4A74883818DA0B72D27085160D037C8FE6F82C5C3D7ED289F7CEECA81BBBFA19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:40:57.636{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54189-false10.0.1.12-8000- 23542300x8000000000000000845780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:01.542{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225E6CF42065BFCA7EBCFF015E5035D5,SHA256=1EB8DC641594836CDA082B0B5D2C2A8BEEA456026AF446B724F962B3320BBBCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:01.180{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB425EDD3B650CB13631E43E2A2ED38,SHA256=E03996C2EFF1D25BB38B070601FB7A1C3BB77A7D3710D5FF9AE78FB8FF2EA085,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:01.122{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 23542300x8000000000000000845781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:02.638{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221466D0A078FF58CF4EA14C2740A91B,SHA256=EEDEBBC1CA1B5EA020F9F860DD28C1082DAA0E0459F5B16F1A10FBF787C83CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:02.289{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4E749E65239BD55115CB7CE73F596F,SHA256=B3781F0D08CC17FFCE929F207DB2D91F91869D97CBF6C05C5F32CAC652460BC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.872{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.829{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.802{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.795{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.743{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.722{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 23542300x8000000000000000845794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.718{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5CD9193763B60DBBFC90AEE03A24350,SHA256=4287C70D95840A09D47EB9A59257F474BD53C54C2320CD2EFA2B0BDB64882DC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.699{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.689{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.685{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.678{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.671{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.665{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.661{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.658{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.653{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.652{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000394821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.660{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.658{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.652{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.650{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.649{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.647{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.646{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.645{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.644{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.639{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.636{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.632{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.627{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.620{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.613{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.611{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.597{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.590{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.574{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.566{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.557{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.530{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.523{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.517{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.510{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.502{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.494{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.486{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000394793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.482{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 23542300x8000000000000000394792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:03.380{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6F5186A241E76F6665866FB637F7CE,SHA256=CBD6FB2DDBD92A467BC0B85622C6D80BD0C765B7ACF76C6BE29891FD3C30C77E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.140{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.138{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:04.892{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2530-6387-C702-000000009802}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:04.892{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:04.892{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:04.892{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:04.892{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:04.892{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2530-6387-C702-000000009802}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:04.892{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2530-6387-C702-000000009802}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:04.893{8A63456F-2530-6387-C702-000000009802}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000845801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:04.673{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEE5B8AED5D3BFEB9580007FA2FC6C1,SHA256=009DEAB3666F109F7DF748E85503A59EA68D276E2628425464162F8C6A79D185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:04.918{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4568CA2F24252F45E0F425DBD401FA48,SHA256=01C5C7468441185173D0574B634CE6F329162D52C43CDCB8CBC5E45724F492EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:00.820{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50548-false10.0.1.12-8000- 23542300x8000000000000000845827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.780{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE64397489C4A2982C664E80A2C3973,SHA256=C14CBE18AEBE1BC03CFD29950D0EF6B2CE49E1817AB9587C111FA208D8FB8AC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.561{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2531-6387-C802-000000009802}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.561{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.561{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.561{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.561{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.561{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2531-6387-C802-000000009802}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.561{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2531-6387-C802-000000009802}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.561{8A63456F-2531-6387-C802-000000009802}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000845818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:03.610{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54190-false10.0.1.12-8000- 10341000x8000000000000000845817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.123{8A63456F-2530-6387-C702-000000009802}59205148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000845816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.057{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1B7DC21BD70780893B8FE39D5F0C85F8,SHA256=4951D6BA67A632ED16A1D7751629350A9ADBC819728B2B4D88393C322F7FFA6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.010{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2530-6387-C702-000000009802}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.010{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2530-6387-C702-000000009802}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.010{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2530-6387-C702-000000009802}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.009{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2530-6387-C702-000000009802}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.009{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2530-6387-C702-000000009802}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.009{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2530-6387-C702-000000009802}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000845838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:06.861{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE74F85A3BBBEBF0EA62B22B7A9B1AB,SHA256=4B7807826E67751177B70644A8065FE243079D21622A376AB2F6E9265BAB5A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:06.783{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C63E0F79B46E84F640762BE6FDE4D001,SHA256=494655D6487AC47BC5D89F7FBB4305DB35570F2D6158D5AC53E5AF3A9E8961A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:06.013{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F138A03A02FB95C2357789D4B13A5E,SHA256=ACCDD83054F0C1C4BB5C669F3CFE30F6E7F24132CC5480B2BE148215C608D41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:06.272{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F70C1A4E6F03D6835E293697465D7FA,SHA256=4CB181FEF59E13050FAE392F4AEDAF1795BEFA2596B4FE5532463276D295DBAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:06.241{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2532-6387-C902-000000009802}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:06.241{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:06.241{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:06.241{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:06.241{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:06.241{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2532-6387-C902-000000009802}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:06.241{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2532-6387-C902-000000009802}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:06.241{8A63456F-2532-6387-C902-000000009802}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000845839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:07.836{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FAFDFE8E74CEC4CF211AA3E1353CBC4,SHA256=9CF785A2982389A933B89ECEA6F2C9FB1D3A1F1DE769170E980733BFE2FC428F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:07.113{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1D26974C7EC9FF95F0BF0FE8EDA4E5,SHA256=53488104A13D6E895DCCFB196B6600A193EE5D8409E02603923F31B24B1962FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:08.919{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5CCAFD6CDB686D7B448E16C69E20FD,SHA256=B4BFB83EE1A0747679F8778907E1748EA1585469FF70E2624E443692FCAE5D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:08.195{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A38D1969E28F2D63F547DE1059A213,SHA256=70D30033FE13DA7087032F154EC45C00AC882D661C8C2098FB8D21302298878B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:08.607{8A63456F-2534-6387-CA02-000000009802}51245132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000845849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.872{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54191-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000845848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:05.872{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54191-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 10341000x8000000000000000845847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:08.435{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2534-6387-CA02-000000009802}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:08.435{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:08.435{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:08.435{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:08.435{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2534-6387-CA02-000000009802}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:08.435{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:08.435{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2534-6387-CA02-000000009802}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:08.436{8A63456F-2534-6387-CA02-000000009802}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000394828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:06.819{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50549-false10.0.1.12-8000- 23542300x8000000000000000394827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:09.288{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5ADAFC3EB4CA3C1F863610CBB79492B,SHA256=773B548D2A35F0F053281E1A7CE6265AFEE3725219CA740120527C71131E33D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.713{8A63456F-2535-6387-CC02-000000009802}46245344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.573{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2535-6387-CC02-000000009802}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.573{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.573{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.573{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.573{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.573{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2535-6387-CC02-000000009802}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.573{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2535-6387-CC02-000000009802}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.573{8A63456F-2535-6387-CC02-000000009802}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000845860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.401{8A63456F-2535-6387-CB02-000000009802}4212732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.033{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2535-6387-CB02-000000009802}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.033{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.033{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.032{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.032{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.032{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2535-6387-CB02-000000009802}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.032{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2535-6387-CB02-000000009802}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:09.031{8A63456F-2535-6387-CB02-000000009802}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:10.382{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5705EACA23C2ED029FBCF08E07CB142,SHA256=7259BA39C0063FD516824FB290242AC807DA69A8E5A77F9D18A097F119833909,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:08.614{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54192-false10.0.1.12-8000- 23542300x8000000000000000845870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:10.011{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EACB3B985AA529991F4671490B568EF,SHA256=65B9A9786CDC5E7921505753FA905A4246343E63724BEA6B5C7677DC5529DD16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:11.481{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57C9F006828505211B49774145104BD,SHA256=C0271350DEAA37F7AF2DE446D57BF35C42083EED4CA19375A538F8ADF26DE909,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:11.758{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2537-6387-CD02-000000009802}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:11.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:11.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:11.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:11.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:11.758{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2537-6387-CD02-000000009802}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:11.758{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2537-6387-CD02-000000009802}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:11.758{8A63456F-2537-6387-CD02-000000009802}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000845872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:11.090{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32009912411125959F93EE012A375604,SHA256=070F4C725DB1390EF1575967C35A939F1D43E8995C4588B8672E55DDAF14AF55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:12.585{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253B2F080CB829DDA2A4227ED1C2A945,SHA256=E9A883E71FEE1F5666C095277025AD8D40CC9B449B9DE2C8613108534F41092B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:12.867{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EBADBD0C98FD43E975FAFFCE5E2A1F1,SHA256=ED2F16529E9355574500FE49DCD588C02FD9138452507144613E11A6E23C89FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:12.422{8A63456F-245D-6387-AE02-000000009802}5168ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-11-30_094037MD5=41A5099AA37AD4F0A0A1E71BEA9C0DEB,SHA256=B5261D409393211C94669CDB7A5E82A6A0BFBEA284F0C46C1B391302320C3111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:12.187{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40508AFA8DC8F33F05DB6E08038E6C99,SHA256=57004F06647F4D3D4CAA0A0AD377ACB5F640D97C45EF814432E02CCD9D8039CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:13.674{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC9CF90AF47B3F3B586CF26388144AE,SHA256=CEA0C4269F5EC9911E6CC2B045005F6F31585C76A160E0D102E3860F8B218C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:13.251{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C7F3D649206A68CD691EDE10249C99F,SHA256=E9FED64346BC9DE9D87371C6BB7F8F8172916EC86BAF062B0CF9A4F5A4A96F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:14.777{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D87B5DB24EBE99D0ABA436FBA7409B,SHA256=2742288D31DB606533754A8382210951C1EA21433302385E4AEF664E81A4983C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:14.330{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587666CCC954532B9C6D8C33D47532A7,SHA256=16C1C37A3B25B3D0994896C7E27793B67D1154D2CA7B3894F84DEA537D602E36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:11.977{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50550-false10.0.1.12-8000- 10341000x8000000000000000845894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:14.164{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:14.164{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:14.163{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:14.163{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:14.160{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:14.160{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:14.158{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:14.158{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:14.152{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:14.152{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000394835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:15.875{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B0352FE873F1DEACE74D7A2B4C25E5,SHA256=8C15C742EE1984A7A2F3C08C88619651E92E904398ECEBA2952E3703C43429B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:13.645{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54193-false10.0.1.12-8000- 23542300x8000000000000000845896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:15.426{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F190A3332B7561F39FA05D1A3A72E02C,SHA256=AD90DD88EC0BC0AFFEB083D9A875EFA0B312CD8F40A37F7BFCCE865BD5C0BCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:16.974{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842E58D79170FA05607A030D7BF54BB8,SHA256=5C694BFD01DE89610BEC873A98690023C611B6639AEE8044E2BCBF5762200D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:16.523{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95615A710ACFCDCE6C44C9B55A92AE5,SHA256=A14BA1F4FDCB90486244FFD8EE3AA95DC961C5BD2C398990C1B1DF39380F5B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:17.637{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77637D026AC614C562A75325EDA478D1,SHA256=CD1D1188517170E6A0312D8A6C0E9EE219F14323E8095718A1ACE7D30E4BDAFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:18.715{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051E6C4CEEBD0DFEAE69C9A2F77E422D,SHA256=C79FDB97246DBDA5E42947B670E12C911F25A18C9BDF940028BADF4C569E908A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:18.076{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94CA4CAF2044E41598AFF457833011A,SHA256=A5419A94FDA75477D7965C30D2B91B0D55C65BD599D93D4300DF56DE2B4EFC6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:19.835{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C679081295AEB1C5867FE0942718F777,SHA256=9E13AEAB3C48F9F41A4B1D6F33C9DB65E0A2BD0C911A387DF24894DA834560AF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000394848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:41:19.418{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000394847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:41:19.418{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0041b7bb) 13241300x8000000000000000394846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:41:19.418{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90497-0x83f45a5d) 13241300x8000000000000000394845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:41:19.418{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049f-0xe5b8c25d) 13241300x8000000000000000394844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:41:19.418{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a8-0x477d2a5d) 13241300x8000000000000000394843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:41:19.418{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000394842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:41:19.418{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0041b7bb) 13241300x8000000000000000394841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:41:19.418{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90497-0x83f45a5d) 13241300x8000000000000000394840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:41:19.418{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049f-0xe5b8c25d) 13241300x8000000000000000394839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:41:19.418{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a8-0x477d2a5d) 23542300x8000000000000000394838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:19.188{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EBAA42A5F920640D7BA0DF3E448709,SHA256=0DFA51F65F07794C759546CAB05572154386673D0C8CF5F1D5894118926F1D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:19.429{8A63456F-245D-6387-AE02-000000009802}5168ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-11-30_094037MD5=EA09C17705983031949CFB1B67748A90,SHA256=8B9CEE326FACC5B9E2F95EFA0D9B639A226C6E8B009219BA0CA0EE3060D216FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.896{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D0E8EC4F27A1113AD38048C8AA2D49,SHA256=C19001821E7E68DE200F73DA3D548F15C02B4D6B5B6E2CB31D8D20BFA19BF87F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:17.953{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50551-false10.0.1.12-8000- 23542300x8000000000000000394849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:20.283{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C706A71E90784BC6C42209FB58D7EDB8,SHA256=B4C9AC42E08AB6DD58DFA1CDC6FFB12C29D4787DBFAE031B34F3C402B98EB81D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.644{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.639{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 354300x8000000000000000845926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:18.666{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54194-false10.0.1.12-8000- 10341000x8000000000000000845925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.633{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.629{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.623{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.620{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.618{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.610{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.602{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.596{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.594{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.592{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.565{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.557{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.537{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.531{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.520{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.506{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.493{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.474{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.458{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.440{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.422{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.380{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:20.377{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 23542300x8000000000000000845931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:21.965{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCEBB01D941DA2B4FE64C001D4A0FF6,SHA256=08576EA25F6AEDB2C97AA45A294D17748FEE0D1AEB0AC8A01F536027FC7B5339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:21.374{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561EDD42A626038956737F3D6B5E357C,SHA256=3C46569E57FA817599F6562FD1E3603084DB6833A3CCA4A6276182BD20156F79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:21.015{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 23542300x8000000000000000394853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:22.471{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA1FAC540897D8E4C7445CA9EB66F91,SHA256=6846A938EA23314ACAB2CEA361D25DED6F117DCF685F5CC59EBE04EC9EBC316A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:22.197{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=05BC61D010189A85FD99DCA1315845FE,SHA256=A6F38BEEF36656169FCBE796168CDBC2BE1139B53866E2883F2EEAA6C3E9C16F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.617{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.615{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.613{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.611{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.609{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.608{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.607{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.606{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.604{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.600{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.599{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.595{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.592{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.586{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.579{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.578{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.567{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.561{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.555{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 23542300x8000000000000000394864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.553{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C644309E6D85A94B842F12EBA5EE5F12,SHA256=2A83FDB3081A203EBCADED1DD423AD5846039329B9F7C3420CBB8F74FC5E2ED4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.549{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.543{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.523{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.517{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.511{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.495{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.489{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.483{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.477{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000394854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.475{E56ECBBF-146F-6387-1E00-000000009902}20203520C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019AAFED0) 10341000x8000000000000000845950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.692{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.675{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.665{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.663{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.635{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.627{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.612{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.607{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.605{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.602{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.599{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.595{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.593{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.592{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.590{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.588{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.074{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000845933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.073{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 23542300x8000000000000000845932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.032{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7BDE49E838514487C3A6E588BAD3D11,SHA256=4689D5E3B6B3E0637618794F80E51330D61529CDE6B2B455C1E2E9CEFE2A9B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:24.765{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-069MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.753{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.753{8A63456F-1471-6387-1400-000000009802}10921596C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.577{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.577{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.577{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.560{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.560{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.560{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.529{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.513{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.513{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.513{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.497{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.497{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000845977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.415{8A63456F-1471-6387-1600-000000009802}1280NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.415{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.372{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2544-6387-CF02-000000009802}5360C:\Windows\System32\InstallAgent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.372{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2544-6387-CF02-000000009802}5360C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.372{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2544-6387-CF02-000000009802}5360C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.358{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2544-6387-CF02-000000009802}5360C:\Windows\System32\InstallAgent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.357{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2544-6387-CF02-000000009802}5360C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.357{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2544-6387-CF02-000000009802}5360C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000845969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.301{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.301{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.301{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.301{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.254{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2544-6387-CF02-000000009802}5360C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.238{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-2544-6387-CF02-000000009802}5360C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.238{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.238{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.238{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.238{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.238{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2544-6387-CF02-000000009802}5360C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.238{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2544-6387-CF02-000000009802}5360C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+4158d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000845957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.234{8A63456F-2544-6387-CF02-000000009802}5360C:\Windows\System32\InstallAgent.exe10.0.14393.5127 (rs1_release_inmarket.220514-1756)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=FAED69010377AF73D19BF070833DA674,SHA256=094990F2727BAAFC51D74571EA32C18CEFCFB6C66B80EB91F3952C007CE9FC31,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000845956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.176{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.176{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.176{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.176{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000845952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.176{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000845951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.113{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=848A1405D3E86B307F3213D9F4C87089,SHA256=8E45DAB5F831B444F947950C7014C25635EB548443F3E8D594CAD447C99BADF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:25.783{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD3F9910B677DF9D54D0A309C4905546,SHA256=EC143216AD4A62350AAB51B8434331C178EC35488DBF11E8921418618FE56BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:25.775{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-070MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000845996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.038{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local57568- 354300x8000000000000000845995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:23.666{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54195-false10.0.1.12-8000- 23542300x8000000000000000845994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:25.576{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14E6D1E2FA9EA9BE29106D1AB5E0FDC7,SHA256=B00F83F1E62B7E2DFC2B0E63FFFAC444A09A4363950AE46142BCE9E20C39C1EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:25.576{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=259975D43D9955037C7A45052791D0CD,SHA256=84EAFA42D8644A5D8EB8217A5AEF959513E4F609ADFE8A1DB4D752C974043485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000845992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:25.576{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D131FE1FB9B31A7DDB5FD3C2DB5C5287,SHA256=1B09BCE3AD8A3607305C50101AA4E92E7E82BDFE617758F278B8911F92E1452F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:25.052{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D8C9BB0E2866E9F97EB1F3F4ADAF60,SHA256=AFC3D82C9BC597A9BEE15C355A0AC2794E8C7BCF0EB1555A7365DD0EA266F55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:26.851{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D8F12DCC10E14886DDC35219D09AFB,SHA256=789741DA066FEF8FDFA3F07919A75A6A767025AC511AD78E34D8136BE0F44176,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000846003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.249{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54197-false52.152.110.14-443https 354300x8000000000000000846002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:24.076{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54196-false52.152.110.14-443https 23542300x8000000000000000846001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:26.644{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA0CD1D690C95771805A46D4B75ECF9,SHA256=C26AA81E9DB0C90054BADDBC8A83ADA54EF33B7B6012E453CEEB0298FB080A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:26.431{8A63456F-245D-6387-AE02-000000009802}5168ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-11-30_094037MD5=DB7EDE2D051BE5F4CEFC0809C6392A25,SHA256=C8615FB26A0B13CCC6EA8B53E2420FB561C594CB42AF9754E7FC288C0E9852DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000845999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:26.208{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2544-6387-CF02-000000009802}5360C:\Windows\System32\InstallAgent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000845998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:26.207{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2544-6387-CF02-000000009802}5360C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000845997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:26.207{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2544-6387-CF02-000000009802}5360C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 23542300x8000000000000000394890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:27.954{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073CE52F38CC7AE29CFE022636FF65A7,SHA256=EE7C04D840B3F4F402C46F9F30F89DA8BBEEF5A9AE30749013B0F1E14C1FF559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:27.746{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0D04CE9CC2010FB82AE4A91F5F246D,SHA256=8198AD5A2E19C2692F6601DF2AD5E8D7CC3DF647157856CA6219968F32C2FF2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:23.958{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50552-false10.0.1.12-8000- 23542300x8000000000000000846040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.945{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B16AB6E332F614AF255A39B3AF24B9,SHA256=FE85FD9B8244D0C924C4666CA000ED494EBF5858C36FDE03E78A6F6630A55BF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000846039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:26.196{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57763- 354300x8000000000000000846038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:26.166{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local57763- 13241300x8000000000000000846037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localT1042SetValue2022-11-30 09:41:28.648{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEHKU\S-1-5-21-3737268975-2892188136-3967374509-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 10341000x8000000000000000846036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.132{8A63456F-2417-6387-8502-000000009802}20564120C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76afa|C:\Windows\System32\combase.dll+6d8bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b203|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000846035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.116{8A63456F-2417-6387-8502-000000009802}20564120C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76afa|C:\Windows\System32\combase.dll+6d8bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b203|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000846034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.101{8A63456F-2418-6387-9102-000000009802}21205604C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.101{8A63456F-2418-6387-9102-000000009802}21205604C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.071{8A63456F-2417-6387-8502-000000009802}20564120C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000846031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.071{8A63456F-2417-6387-8502-000000009802}20564120C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000846030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.054{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76afa|C:\Windows\System32\combase.dll+6d8bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b203|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000846029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.054{8A63456F-2417-6387-8502-000000009802}20563044C:\Windows\System32\RuntimeBroker.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76afa|C:\Windows\System32\combase.dll+6d8bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b203|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000846028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.054{8A63456F-2418-6387-9102-000000009802}21205628C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.054{8A63456F-2418-6387-9102-000000009802}21205628C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.054{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000846025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.054{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000846024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.038{8A63456F-2418-6387-9102-000000009802}21204896C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.038{8A63456F-2418-6387-9102-000000009802}21204896C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.038{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-2418-6387-9102-000000009802}21204896C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-1471-6387-0D00-000000009802}908940C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-1471-6387-0D00-000000009802}908940C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-1471-6387-0D00-000000009802}908940C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-1471-6387-0D00-000000009802}908940C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-1471-6387-0D00-000000009802}908940C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-1471-6387-0D00-000000009802}908940C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000846009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000846008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000846006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-2418-6387-9102-000000009802}21205620C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:28.022{8A63456F-2418-6387-9102-000000009802}21205620C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000846056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.919{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E905387DF578549D62C3A2E48A90A2C,SHA256=0D4A369D5698F8F6DF8E7DA03220EB5DDE6B6ECEE014590E2DB1600194B07CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:29.067{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A9FC1E52391DFFC1B0DD504E035692,SHA256=7DF3C2DCA640F94CDD971679F1BCC931E0D249E74442F6E29CC86258495F9A68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.263{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000846054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.263{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000846053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.263{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.263{8A63456F-2418-6387-9102-000000009802}21205612C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.263{8A63456F-2418-6387-9102-000000009802}21205612C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.248{8A63456F-2418-6387-9102-000000009802}21205632C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.248{8A63456F-2418-6387-9102-000000009802}21205632C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.248{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.248{8A63456F-2418-6387-9102-000000009802}21204896C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.248{8A63456F-2418-6387-9102-000000009802}21204896C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.248{8A63456F-2418-6387-9102-000000009802}21204896C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.232{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e30c0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.232{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ba330|C:\Windows\System32\SHELL32.dll+e307c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.232{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3050|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.232{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000394892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:30.178{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE56966779DE48E83F297885D9FC5AAA,SHA256=18127C3736041F3A156B26887C6275753757C52D5A18311209F6C659A334C982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:30.928{8A63456F-245D-6387-AE02-000000009802}5168ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-11-30_094037MD5=6E95A553C15F7614257CE56A7B3D771E,SHA256=28212C8E95CBD0D37EE7AC3612BA506D3926F7724582CABE2EC2542253124121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:30.928{8A63456F-245D-6387-AE02-000000009802}5168ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=AD80B2AFB85A2C45F12BF94E48169A9C,SHA256=C2773A210D80C272F27792B2BA323EE3DD7A68B7474F7C222B00DC7FE517CF4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:31.256{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516E54D09FAAE288E42DB1CEB263EDFF,SHA256=334DD540CF19647840A7C3B76B327E189BB140652C3D5CD051AC826352609261,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000846060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:29.493{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54198-false10.0.1.12-8000- 23542300x8000000000000000846059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:31.023{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B40D996240427C1185B1D915BBB78A,SHA256=09EDB14171EB0983ED0A9C38B4BD53E3A9D0799FB723E5595B8495178FB19AAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:29.778{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50553-false10.0.1.12-8000- 23542300x8000000000000000394894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:32.369{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA11F074789CF68158168882C86AFED,SHA256=847367BE0D5A08B8ADD58CC761C68F1AEF4D1A8582193EA5CC2D660180B98E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:32.119{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69EB8CDAB4ABCB2D05256B5D30E9531,SHA256=988009C07D8BFF5505BD527929A8D7EB5E2758426DD4F00795BEF528A0F36814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:33.463{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0E5290EA2F971101F7C7AA29AA4945,SHA256=6DA98AA4D75B412BA9D7882F916DF7B00346DF23C46AC50C6BD2D1313C9CBCE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:33.593{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000846065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:33.593{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000846064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:33.593{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000846063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:33.593{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000846062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:33.203{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE809CE742F5A6022E3482A7B187FAF,SHA256=5A3EBE60C6674021B944F50FF2C993571FE24676C8AE3387BBCCDA0613891FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:34.559{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC0AFA70888C30C258D6DA30CA17A4D,SHA256=109D9A5CD52D1085EB95F8B630C426CE4BCEB834FF56F7E6FC06F4077A75DE47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:34.624{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000846075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:34.624{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000846074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:34.624{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000846073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:34.624{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000846072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:34.624{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000846071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:34.624{8A63456F-2417-6387-8602-000000009802}18484768C:\Windows\system32\sihost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:34.568{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000846069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:34.568{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000846068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:34.568{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000846067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:34.286{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F794D111EF0A44736A3C8E52870FC2A,SHA256=F9A298E9C5CCC4DC22BCEE86B964494342BB403E742BAC6389A9F95EF749CDDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:35.666{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA30A2C5D1024FB04258C6921F508DC6,SHA256=9B4680F288EC0F1813BF94B10955DB8FEA753608365C97099BF23EFA322E2484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:35.396{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C21EC9A6FAFD7B09AA01B814926572,SHA256=42C3001A411B61FD0C130D28284472796CC1A70BBE0614194FEED6649029434B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:35.286{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:35.286{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000394899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:36.758{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39BF3DDA9D35A80DBFB35EC15001C5CC,SHA256=7B96E90573844B248EFE5B213F966E24607C7D6D3576BE5CED286BB37C30F6E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:36.977{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:36.946{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:36.946{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:36.946{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:36.946{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:36.946{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:36.946{8A63456F-2418-6387-9102-000000009802}21203140C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a198f|C:\Windows\System32\windows.storage.dll+a1605|C:\Windows\System32\windows.storage.dll+a10f6|C:\Windows\System32\windows.storage.dll+a2568|C:\Windows\System32\windows.storage.dll+a0f1e|C:\Windows\System32\windows.storage.dll+a3abd|C:\Windows\System32\windows.storage.dll+a41fc|C:\Windows\System32\windows.storage.dll+1fdbb2|C:\Windows\System32\windows.storage.dll+923aa|C:\Windows\System32\windows.storage.dll+92106|C:\Windows\System32\SHELL32.dll+4ca19|C:\Windows\System32\SHELL32.dll+4b5c6|C:\Windows\System32\SHELL32.dll+6d139|C:\Windows\System32\SHELL32.dll+e7e5e|C:\Windows\System32\SHELL32.dll+158990|C:\Windows\System32\SHELL32.dll+1834dc|C:\Windows\System32\SHELL32.dll+198348|C:\Windows\System32\SHELL32.dll+183676|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000846081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:36.949{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000846080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:36.387{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8534C966C50A47255B6BAE5DDE133032,SHA256=7EE41E6A7E5E5DBA068D0ABB8FFD120732256EA2E8356944D6C42EB694F01C27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:34.943{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50554-false10.0.1.12-8000- 23542300x8000000000000000394901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:37.858{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83E44417A09FE221CF00B60C22F6DB0,SHA256=4154301C0109D0A7CF35B24C00667D8BACEAA5AD9FA5CF358C92A59C3C4F26AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.712{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.712{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.712{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.711{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.711{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.711{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.697{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.697{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.697{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.696{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.696{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.696{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000846107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.474{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDE3E46BFD0C109F2FDECBDC162E3D6,SHA256=C274467AC3F82E0A56AE5B218FC922E6A6B710027F55C2AB3D94D74AC6EC27DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:37.207{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=02E29EC5E5159E8A6FED51CD29DABA62,SHA256=2C03185891D0124FDC4CDD19A263433EF25C725DD5CC1C91785B47F6DF62F83B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.099{8A63456F-2418-6387-9102-000000009802}21204896C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.099{8A63456F-2418-6387-9102-000000009802}21204896C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.099{8A63456F-2418-6387-9102-000000009802}21204896C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.084{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.068{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.053{8A63456F-2418-6387-9102-000000009802}21204216C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.053{8A63456F-2418-6387-9102-000000009802}21204216C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.053{8A63456F-2418-6387-9102-000000009802}21204216C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.053{8A63456F-2418-6387-9102-000000009802}21204216C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.053{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e30c0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.053{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ba330|C:\Windows\System32\SHELL32.dll+e307c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.053{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3050|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.053{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.037{8A63456F-1471-6387-1600-000000009802}12801452C:\Windows\system32\svchost.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.037{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.037{8A63456F-2550-6387-D102-000000009802}51805176C:\Windows\system32\conhost.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000846090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:37.017{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E0A7ABC2EA629D1DBD43E5184168BDD8,SHA256=2094EE485F60B30295366003A15CEE02F3DEB76EC78C9ACA76C0F9A69D79AB8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000846089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:34.558{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54199-false10.0.1.12-8000- 23542300x8000000000000000394903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:38.961{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052726BF902006F132871FA2F0A36105,SHA256=66D6093B217EA353D074429292479BC240AB8523AD4902EFA61B8A4E620B2CC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:38.955{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000846129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:38.955{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000846128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:38.954{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000846127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:38.952{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000846126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:38.952{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000846125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:38.952{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 17141700x8000000000000000846124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-CreatePipe2022-11-30 09:41:38.736{8A63456F-2418-6387-9102-000000009802}2120\UIA_PIPE_2120_00001ab0C:\Windows\Explorer.EXE 10341000x8000000000000000846123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:38.630{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000846122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:38.568{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2F79F478F5BB6BCE8A0FDCE11B2E8E,SHA256=17345F5207251B3A705A688712C85F6B8463BA7F3BCA46B814D45154BA0317C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:38.349{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F9658B1E8963B1BE63D5DF1CC780E341,SHA256=844ED4FF03D1E2B2991DD4F9E8B30946D886CFB8780DA862914B2AE3C08D0017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:38.017{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E20FFFC860E66AA02236B545BD0DDAE6,SHA256=2456CC9751F4DFB536F981692BBE501BC139378A05373351B8E07D64F3A32187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:39.651{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBAC9A51C4EC4A6B1FC1B0F32BD9FAEF,SHA256=C9FD6F0AFA7701E1F383B9DBA0FA1D37386307D268CB3F5EC4FF6BDA9AFF8E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:39.446{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-069MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.731{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F954570C1A533ECD2C70E968786E8F84,SHA256=9EBA94A4A9F43607178428563849F9C5F142B0DBF89C2F40ED770FF4F5810EA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.652{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000394907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:40.349{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:40.349{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:40.349{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000394904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:40.068{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF6B5315B0FFDA142B17BF9286F6523,SHA256=46B98BA2BE93B14B10B8A9DD7BFCB246588CEB53B2E840D3BCCD009B5BA02CB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.647{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.639{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.635{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.628{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.625{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.622{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.615{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.608{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.605{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.602{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.600{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.561{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.554{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.538{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.526{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.517{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.501{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.492{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.479{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.472{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.460{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.448{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 23542300x8000000000000000846135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.445{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-070MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.395{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.394{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 23542300x8000000000000000846161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:41.673{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13AD14B3C05118D5B54984BF3835E23,SHA256=F094EE8EAB3BA1A7860F743633E1ECA56FC67D1B2637920322DD323322C34CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:41.163{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4649354C616DB548D5697F734F8564FA,SHA256=0022E3437FF539614F9B9B02DE950EDA4A43C4827B0D6AC70873CCB09D8915D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:41.218{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 23542300x8000000000000000846162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:42.774{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A61E9CBBFDDAF780609CE390497113,SHA256=E5CC6B498C5E92122BF3527845944768E897EFDD4985C25F24B469B3499F123A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:42.263{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864C6F17EC96B37925108CAB06A767ED,SHA256=59350A0C2452CE188EDDC730386118F7A459A040CA2B1E736F55A227EFB4037A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.939{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.939{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.937{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.921{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.903{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.898{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 23542300x8000000000000000846178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.856{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CB42C967C45C599E79DE08394E6537,SHA256=05417B62C5E0101DF95B1A516D0DFBD9547C759582556355BEF0B0C23329B79A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.827{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.813{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.793{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.787{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.784{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.782{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.778{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000394939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.695{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.689{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.686{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.684{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.684{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.679{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.678{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.677{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.675{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.672{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.670{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.666{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.662{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.656{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.649{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.647{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.635{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.628{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.620{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.614{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.606{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.566{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.559{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.554{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.539{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.531{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.518{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.503{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000394911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.487{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000394910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:43.363{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88FB4A1EF525D69DEAD175A67C6B52B,SHA256=E2831F652A249587DC8EB1D8A79256086353A5932A50B777ACF4FC9B61154C97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.771{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.768{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.767{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.764{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.763{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.255{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.253{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000846163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:43.043{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000846186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:44.841{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF8915546B20E4009D55E4448BF1FB8,SHA256=2084D7077ED4EAA5DD24DE4D2EFF7C81AE6B4788FB2A823296D79F8334A3734F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:44.556{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54068F1A4BC2F69DD2F3AEB7252B3739,SHA256=51F5963060E731CBCDEA7A27F66D3808888C0E7172D132641A5E33F8B237D6FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000846185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:40.568{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54200-false10.0.1.12-8000- 354300x8000000000000000394940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:40.903{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50555-false10.0.1.12-8000- 23542300x8000000000000000846187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:45.936{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4450C5DB342D98F7BBE987417E9DA0D9,SHA256=9301B67BEFEDB2C0F765FC28F4B2B9C52B2C9C92432AD4B0A10A8F1F27680A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:45.639{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDDFF21BA92370969804F7C91CE4E72,SHA256=7A68B175D47A08E30C9177D2E0A0DA13915F8F5E7B7B041BC328AD22960799D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:46.726{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A02D3D1CA01D9B75F1BDE7A16E6B652,SHA256=0CE951EFF56BA55400DF4ED7E3F76AE2B0CFA27F4D63B6CC3D77C63F5723A9D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:46.226{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000394945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:47.833{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4773B963DCCC6844F1661B183501B3E8,SHA256=8A9008EDCD8A2122E227DF78924F6511CCEC24D60DA22402C6A2DF3E42B66401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:47.037{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9CA9638EA45371B9E193FAB9B70DD4,SHA256=9ECA85A226171B331979D58DB86D0D6BAA5C8D9FDF5EC1F346BDD71A555A20AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:48.926{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A158EC73F3FB02342259DD547C2D95,SHA256=29551F731C2A16B1A3C7A72BC1D79CA2A20CEE674A6B5C9A8A4051747D8A9655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:48.130{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F087B2740990554D26662C73CB0B6E7F,SHA256=5817C50393FC17AF3A736748E5214A2901D52B027936AC268C64C552078053D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.965{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C4CBEC380D8E5F84C77627D7441A42C7,SHA256=A40A330BA1899B51B406781BBC38CD80F30A4714D040783B52342991BDAA07A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.965{E56ECBBF-255D-6387-9B02-000000009902}2201476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000846191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:49.230{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D461097B422AB9D4232713BD106A215D,SHA256=6243DA2F9B4FDF074009843BC239D180CECE47AF1F1ED5FBBAC002FA3185D71A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.884{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-255D-6387-9B02-000000009902}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000394962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.884{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-255D-6387-9B02-000000009902}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000394961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.884{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-255D-6387-9B02-000000009902}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 23542300x8000000000000000394960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.826{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.779{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-255D-6387-9B02-000000009902}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.779{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-255D-6387-9B02-000000009902}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.779{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-255D-6387-9B02-000000009902}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:49.780{E56ECBBF-255D-6387-9B02-000000009902}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000846190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:46.574{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54201-false10.0.1.12-8000- 23542300x8000000000000000394981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:50.954{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89632F1072DFDAF9BA911112E7AA87E1,SHA256=073EBEF1C1B77AC47132C74806AC807C669177929B8B5BA692B58EA982313565,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:50.438{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-255E-6387-9C02-000000009902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:50.438{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:50.438{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:50.438{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:50.438{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:50.438{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:50.438{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:50.438{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:50.438{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:50.438{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:50.438{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-255E-6387-9C02-000000009902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:50.438{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-255E-6387-9C02-000000009902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:50.439{E56ECBBF-255E-6387-9C02-000000009902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000394967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:46.805{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50556-false10.0.1.12-8000- 23542300x8000000000000000394966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:50.013{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C208A1284A31D2FD4B69A47B130F54D4,SHA256=560BB9973405DD27B0E6429E91B01A1E6703AEC08122C94992A1E9650C900E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:50.333{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15126D51976E7C6AB01F91349C4367E,SHA256=9EAE823EA6E298F1BCA9C678B9FA71C5A4BC4E9A594F7504E343DE27F4059686,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:48.559{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50557-false10.0.1.12-8089- 10341000x8000000000000000394995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:51.125{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-255F-6387-9D02-000000009902}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:51.122{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:51.122{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:51.122{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:51.122{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:51.122{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:51.122{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:51.122{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:51.122{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:51.122{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-255F-6387-9D02-000000009902}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000394985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:51.122{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:51.122{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-255F-6387-9D02-000000009902}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000394983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:51.122{E56ECBBF-255F-6387-9D02-000000009902}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:51.106{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88481890A571877464900912D9614D9,SHA256=815C45E9769DC1077C0E29EFC4542BC163C151145D34B623696F8301CEB396C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:51.437{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC6F0E701611B940DB55A9836F12335,SHA256=9E03A5DBA2D2807D2997E14290D31F02F34DDCEDEDDA8A1F6A1DF5AB54265FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:52.330{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C7FB93F5B732B379B27155EE9E0706CC,SHA256=54B2DEE870C0AF0C162C84428E0CA4C6D9C5A5EBFED8ED1BB15A5D076D9D27AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:52.201{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A10552AC3B064428DC5F7865028EB7,SHA256=928275CC090CB78AD5EA0670A0DDE1E362EFE61744248970130ABA22DFF290BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:52.541{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76820DDF12D1749FB3CF4609AD78635D,SHA256=450295D2BD512AED1217950455C4167AEB3E99B5DC8BB398D754751B39C26682,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:53.728{E56ECBBF-2561-6387-9E02-000000009902}24003256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:53.572{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2561-6387-9E02-000000009902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:53.572{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:53.572{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:53.572{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:53.572{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:53.572{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:53.572{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:53.572{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:53.572{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:53.572{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:53.572{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-2561-6387-9E02-000000009902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:53.572{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2561-6387-9E02-000000009902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:53.572{E56ECBBF-2561-6387-9E02-000000009902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:53.290{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDB6364C5A32C2DB6D711F14993F8BD,SHA256=6D203D2113676C1258F5B13A3CC0AF14DBE8242281EBB448BA448E320F143340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:53.630{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98B86D5A4E60AABB1E9C1F94470AA6F,SHA256=C090BE3740984E9E77988172C8DE2610E573C672337E30CBFFBCC9B51EC534DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:53.002{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:54.836{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:54.836{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:54.836{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000846197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:54.742{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5542E3E5B7968E4F510188371E813C8D,SHA256=D8ED051874D2325B1B15650049F0E4675AECDD6559DD7352242D603A85BD6FF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.977{E56ECBBF-2562-6387-A002-000000009902}27201452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.805{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2562-6387-A002-000000009902}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.805{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.805{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.805{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.805{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.805{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.805{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.805{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.805{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.805{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.805{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-2562-6387-A002-000000009902}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.805{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2562-6387-A002-000000009902}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.807{E56ECBBF-2562-6387-A002-000000009902}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.805{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2599F0022B4BB3C182344902BF6FFBA,SHA256=593EAACFB330773615F3AAACE4B0D0E0A2603AE8FC193CE24958BC1110BB47AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.463{E56ECBBF-2562-6387-9F02-000000009902}19203140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000395027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:51.958{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50558-false10.0.1.12-8000- 10341000x8000000000000000395026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.246{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2562-6387-9F02-000000009902}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.242{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.242{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.241{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.241{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.241{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.240{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.240{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.240{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2562-6387-9F02-000000009902}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.240{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.240{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.239{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2562-6387-9F02-000000009902}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:54.239{E56ECBBF-2562-6387-9F02-000000009902}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000846215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:55.827{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64F5F780E03791BC26E9A783D5A7575,SHA256=0E6BD83B0833D1EE66A576760D1475FDE73FB4523E0EDADE5A935748CFED614F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:55.772{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2563-6387-A102-000000009902}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:55.772{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:55.772{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:55.772{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:55.772{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:55.772{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:55.772{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:55.772{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:55.772{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:55.772{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:55.772{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-2563-6387-A102-000000009902}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:55.772{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2563-6387-A102-000000009902}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:55.773{E56ECBBF-2563-6387-A102-000000009902}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:55.599{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863ADFD26629180EE60DC563D1897CE4,SHA256=6BEB00B6A24389FDC208C9F6CD0E6829ACCB7A7F147E8215499D8D397F869F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:55.389{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7F9A14698077FDC89284BCE1873AAD6D,SHA256=BEBBEB9CD7EB11AEBF3A5A716628660DFE3AE88623C90A04E3BF381DD06A6E1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:55.311{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:55.311{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:55.311{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:55.311{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:55.311{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:55.304{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:55.304{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:55.304{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:55.304{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:55.297{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:55.297{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 354300x8000000000000000846202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:52.485{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54203-false10.0.1.12-8000- 354300x8000000000000000846201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:52.432{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54202-false10.0.1.12-8089- 23542300x8000000000000000846216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:56.928{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC104B678733CE71D6AC4163D0F12D05,SHA256=3AB76276D544431195C6E5DAAD167C561D1FC8B46261C494D34D8ADF4B77372C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:56.674{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD9D277E529909832663EA1827AC888,SHA256=20285B69BE164745F0566408D8EBC534A6D3251766003B07982EACD6FC9FD257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:57.755{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CD5A7859A36455D35CF5EDA5580A9D,SHA256=F93BEB435FE284A14B36B15C9F0B1A4BECAF4CAE44633F72F88FA9CA980D2AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:58.845{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2CB661C1E2F0B53A793B6360172F7C,SHA256=AF379C5D3B9C75E84C17689FB354E31CE7AB0D61423C2BED3ABC0F2C26707287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:58.036{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0724628053F7457A73DF26B0FC7464F9,SHA256=3B1892A05AB53EEA8D1C7C093EC80C296715B9EFA3EA789338A684A79EF9468C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:59.949{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6924D5BBBEE5D0FD345FB923F79BA2,SHA256=1C346BCD4B1F378899C026D92E288E03F7D538BA312840CADD9AA845544FAB90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000846219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:57.495{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54204-false10.0.1.12-8000- 23542300x8000000000000000846218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:41:59.127{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8A21570BFB2E915CD473CDCC429170,SHA256=7A992EC0FB27A78F57C5E725182E0F82C46D11A5F3C8FC319DCAEC01EDAFCD86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.678{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.673{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.665{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.661{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.652{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.649{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.647{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.634{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.626{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.622{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.620{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.618{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.577{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.570{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.550{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.543{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.534{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.526{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.514{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.496{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.480{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.459{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.448{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.385{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.381{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000846220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:00.217{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CE06C8FCAD3DBA718F1657D1E9293E,SHA256=965D7237B85C662C7C1BEBFEC21FEE3E8C973C8B81406A45B0BDACBB02CCCF04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:41:56.986{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50559-false10.0.1.12-8000- 10341000x8000000000000000846247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:01.494{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000846246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:01.252{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D960B87FD93A6B8D7681149142B5E19,SHA256=E9DF8DE7190DD29A479BDF727439B0DF8236E229F9A3E41221DC721F5BE9634E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:01.034{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F336022B7910637AB7FCAAD456270086,SHA256=16CD29604FD6080F311AE2208407BF55F605012D6016DF78A335959C5B4CD6E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:02.334{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7847713FA2A6309E8DDBCC47A221EDCD,SHA256=52B0BAE662AE3571DE3BF78DD33DB96B03FF3320A03A537D5B23304625DC83CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:02.118{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA0B165933B4B1DC66AB43EA364256F,SHA256=01923B87B265A8A7F994F776E2396DF2155C49961F5ED0A2B76A3B42D16E8B1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:03.521{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:03.517{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000846249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:03.423{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43CCE6544A27B98339FDD8BC42B48C6,SHA256=A9884F92450F3F74985044C2B54EB80FB97EBC30884235B511E130567228551D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.730{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.726{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.723{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.720{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.718{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.714{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.713{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.709{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.708{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.704{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.703{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.694{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.691{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.680{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.671{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.669{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.645{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.627{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.613{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.601{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.589{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.551{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.539{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.529{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.519{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.506{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.493{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.482{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000395066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.475{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 23542300x8000000000000000395065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:03.208{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75911AC262C174026E5A1AAD58422D7A,SHA256=9C2908726340DF99FA930D84946AD9EF0817F3F743ACFEDEDF93DB875E73B011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:04.780{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80118B297FB07C7FAA39A72F715FDB54,SHA256=9B4B5F1047BF5E3B94E606F00030B62296E89053BD9E884ECCBE60A684C7E862,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.906{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-256C-6387-D202-000000009802}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.906{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.906{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.906{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.906{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.906{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-256C-6387-D202-000000009802}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.906{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-256C-6387-D202-000000009802}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.907{8A63456F-256C-6387-D202-000000009802}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000846270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.480{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBAE5A908ABE12EDCBBB2EEA6856B46,SHA256=518763E02355FD89804654D0894D9FD44DD02607152F6D13BBF15310C30BCC44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.171{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.170{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.168{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.146{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.135{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.132{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.099{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.085{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.067{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.061{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.060{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.057{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.055{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.050{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.048{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.046{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.044{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:04.043{8A63456F-2424-6387-9602-000000009802}47843128C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000846289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:05.764{8A63456F-256D-6387-D302-000000009802}57082920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:05.593{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-256D-6387-D302-000000009802}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:05.593{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:05.593{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:05.593{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:05.593{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:05.593{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-256D-6387-D302-000000009802}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:05.593{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-256D-6387-D302-000000009802}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:05.593{8A63456F-256D-6387-D302-000000009802}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000846280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:05.577{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BCFD8B64D60717E82A268A1F466C5D,SHA256=BBAC6C643F640F3112A2D03E8F685770509B8C471F28AD786104FEA5B3911E68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:02.836{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50560-false10.0.1.12-8000- 354300x8000000000000000846279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:02.694{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54205-false10.0.1.12-8000- 23542300x8000000000000000846299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:06.663{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BC4F86836A18CE11930B30BC79BCB6,SHA256=4E8A3EE2D9BD7358DD338C719164F91752CF9F999943E2B968D9C5726393B907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:06.035{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E449B7A3255456D1C2FF2F211570DD5,SHA256=FE35F37A0EBF931AAD969AE0B59CC4AA8D32C39C52AE82ABAE87C106683BD1FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:06.269{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-256E-6387-D402-000000009802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:06.269{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:06.269{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:06.269{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-256E-6387-D402-000000009802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:06.269{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:06.269{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:06.269{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-256E-6387-D402-000000009802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:06.270{8A63456F-256E-6387-D402-000000009802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000846290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:05.999{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8433877DF723A23A89B54732DA8094E,SHA256=6713385AF700F6C418B632ED60E7D1ABDA359E490F80F0F069C8B01BAF99148E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:07.746{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4170F0CC37A0624E2497A0231194B88,SHA256=8BFFD8F2551182F6DB8F32530BE27FF07C1A65E3A8B65A2A6EE7A5574EF459DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:07.135{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E510A9333F728C15AC0DC48335F74D0,SHA256=143D41E01A64E91D77870A12449BC6EA5DFCF180FB4CE8C94AB2EFE21669143E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:07.527{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=56E6D6C1698632F8401CFF507F08279E,SHA256=FD3FFBFA5D5B956D5ABBD8AC3CC2596F0154F2FA2421505F3DDCE9F2B40415CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:07.413{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=724D6B714F99D6A11BAC55E434DCD80C,SHA256=BF76608C802DA9E3805C7238C696F94B472A0A690E5071B4DCB773B9E5FDDBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:08.842{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C937E38412388A3F0FF00A387C87509,SHA256=042F1D6F6315BA3E53089D3099421377A14E20585C6DA8EE584660465D113F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:08.235{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CD211D79ADF5FB6CD55B9596BF0FF3,SHA256=14A84527CBA4FD3C27CE946AB021A22CF4AF8ACE99106D63D2859FBE917EA4A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:08.670{8A63456F-2570-6387-D502-000000009802}49565012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000846312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:05.883{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54206-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000846311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:05.883{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54206-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 10341000x8000000000000000846310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:08.438{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2570-6387-D502-000000009802}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:08.436{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:08.436{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:08.436{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:08.434{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:08.434{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2570-6387-D502-000000009802}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:08.434{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2570-6387-D502-000000009802}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:08.434{8A63456F-2570-6387-D502-000000009802}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000846333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.987{8A63456F-2571-6387-D702-000000009802}58605984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000846332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.940{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5760BFA459517B96C63AB6969FAF88,SHA256=3477FE6333274A7B0CC995468F3248FB625F38E4F11D05119BA85493EF08B360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:09.340{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42B390904AB2AB8A7D22ADD992DD275,SHA256=1D4D2FDE560D299372AEC51E688D527EB41C47FD401161EB2EF4782350785FD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.784{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2571-6387-D702-000000009802}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.784{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.784{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.784{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.784{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.784{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2571-6387-D702-000000009802}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.784{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2571-6387-D702-000000009802}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.785{8A63456F-2571-6387-D702-000000009802}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000846323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.346{8A63456F-2571-6387-D602-000000009802}58882916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.112{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2571-6387-D602-000000009802}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.112{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.112{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.112{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.112{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.112{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2571-6387-D602-000000009802}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.112{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2571-6387-D602-000000009802}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:09.113{8A63456F-2571-6387-D602-000000009802}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:10.535{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E639BB764B24231FF48848D22E493DA,SHA256=19B3CF12A0D64BA2263160D037C0A220F623FFA6781EC3BF696797CC7FC58713,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000846334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:08.633{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54207-false10.0.1.12-8000- 23542300x8000000000000000395103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:11.610{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332C1F9E4D760BDA0A012550E0C08123,SHA256=CB812A195A3B10A8FA3E318CF761D86FCA3FD8EB6D54B4A346EA089F180FE95C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:11.757{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2573-6387-D802-000000009802}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:11.757{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:11.757{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:11.757{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:11.757{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:11.757{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2573-6387-D802-000000009802}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:11.757{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2573-6387-D802-000000009802}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:11.758{8A63456F-2573-6387-D802-000000009802}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000846340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localDLL2022-11-30 09:42:11.477{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\$Recycle.Bin\S-1-5-21-3737268975-2892188136-3967374509-500\$I59SYYX.dll2022-11-30 09:42:11.477 11241100x8000000000000000846339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:11.474{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\$Recycle.Bin\S-1-5-21-3737268975-2892188136-3967374509-500\$I5G3FNC.cmd2022-11-30 09:42:11.474 11241100x8000000000000000846338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localEXE2022-11-30 09:42:11.469{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\$Recycle.Bin\S-1-5-21-3737268975-2892188136-3967374509-500\$ISNK3O7.exe2022-11-30 09:42:11.469 11241100x8000000000000000846337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.localDLL2022-11-30 09:42:11.466{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\$Recycle.Bin\S-1-5-21-3737268975-2892188136-3967374509-500\$I55C9OJ.dll2022-11-30 09:42:11.466 10341000x8000000000000000846336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:11.392{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000846335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:11.022{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F337B26B43492982070F369845C47B8,SHA256=1A478B5753E666AD3B9EF281667E2617005E3059A482EC3B58CB74D0E837DF2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:07.948{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50561-false10.0.1.12-8000- 23542300x8000000000000000395104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:12.722{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA99087F1DED242B46ADF212416E53A3,SHA256=3587D411B9DA3740BF3191CB8E2DF56B4E561B260A095F1BF8A1163571EB2BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:12.793{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C8F242754426787AADA6592AD77A118,SHA256=8F656DD90978E500D6ED14926BC240C805F6BB03403A008110A3025FCA69E525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:12.137{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFEA3AA317EAF12DE07C4E4F404A5DD3,SHA256=8C600E0111F5A331F3B930EEF1E571E549F313AF3C4A9087D599CB07FC197EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:13.822{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C77E3B2D82B75B66821EB75E9762FB,SHA256=5D19D4B41C6CCF59243057FAEF8DAB39F7D1177EA49EC364A1D335739BE36B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:13.220{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBBA2FADD9C8132395083E0DCAD7A415,SHA256=CFE06243E1CC46A31303C24367CE908F5A593FD8D452FA18648244B155022D13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:14.903{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8037A819DBD4F5B59E42EC5504379047,SHA256=743B57A4A59C94C62B4E5140890922EFFBC5DAE0DDE1D7412D74F951A437A8B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:14.307{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24AE49418A778AA62BAAA34AD7CC54F,SHA256=20C143A8DC0A58406DC7A447A930171B4F3C321E09F1D6AA861F367769C24719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:15.398{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B241FF6B920A3EDD6D86668C38DDB2,SHA256=082D3BB50CE17DB4534D4D9A32A32A7D8311986C75D33918A36FE9EF6AE0A95A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:16.488{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27E22C83CC93B4E8595789C5B2860B0,SHA256=DE2B3E35F4E169CA0083BBFD01087F3E06DABD33804C287B443E0F2BD48FFDA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000846354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:14.591{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54208-false10.0.1.12-8000- 354300x8000000000000000395108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:12.970{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50562-false10.0.1.12-8000- 23542300x8000000000000000395107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:16.014{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E58378884CFB19A2C4C368FD1D0CB3,SHA256=B90A4E654F6539909B8373E3EFC6790D1755349D324DEAC35DC52F8AE29BBA39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:17.581{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29729DEDF0235A9BC3EFB7716F8983F,SHA256=338C0DB224190A42B6E6A577C595E7897EFEE50D67014C041AF79EBC8BD47416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:17.099{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60FBA119F3DF670A56FE941D2A1977D,SHA256=1FF808A1502AB96105D3A375E081CC097A63FFBA1B010C96D823D0CE7B931DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:18.684{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55E59F5A670F999160B96C0D4DFAD32,SHA256=4DB26E0EC1A04D83B619EF04263876287CCD33745F1E24892BB9AED09D89DD5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:18.637{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:18.637{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:18.637{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:18.622{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000395110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:18.197{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B960C66B8F65E4AF9D0C3B8CD51626D6,SHA256=A3E576BFAB682029D3FAD266332554CFC997E7B4A24824C6B64F73F7338609BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:19.778{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FC9DC801D515B4CB15F1E65B87E08C,SHA256=076AAA09A413871AA9D7BB41941C7CF72AB4291E58FE95478BEE9A14C49DD027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:19.300{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CA7CFDABE033B78F6A8E711913254E,SHA256=5920358ED6F0632152A3828B6B8B6D179D78C0F66DD52BAC5D8A37A9886EDE59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.965{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.965{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.962{8A63456F-1471-6387-1600-000000009802}12801452C:\Windows\system32\svchost.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.962{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.933{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.932{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.932{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.932{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.932{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.931{8A63456F-2418-6387-9102-000000009802}21205696C:\Windows\Explorer.EXE{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+6d1bf|C:\Windows\System32\SHELL32.dll+e7e5e|C:\Windows\System32\SHELL32.dll+1834dc|C:\Windows\System32\SHELL32.dll+198348|C:\Windows\System32\SHELL32.dll+2847f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+183780|C:\Windows\System32\SHELL32.dll+180b5e|C:\Windows\System32\SHELL32.dll+60781|C:\Windows\System32\SHELL32.dll+63666|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x8000000000000000846389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.918{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap13476:48:7zEvent18234C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000846388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.848{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1085D15D82F5D6CC6EAC95C4E5CF1352,SHA256=C20A938BA4CB60DA0B57CF35CE3D965097EAD58DF038429FF68A455E639F24F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:20.396{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CAF05BEF50E9E92CFDC0A563936FC44,SHA256=1261CF0DE4C5CA4FBABE9172D0D8112EBB39FBCDA456A981FFC369D444567C3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.633{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.629{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.623{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.619{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.609{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.608{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.606{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.600{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.590{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.582{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.580{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.577{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.538{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.532{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.514{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.507{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.499{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.490{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.477{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.463{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.452{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.443{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.434{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.381{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.377{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.921{8A63456F-1471-6387-0D00-000000009802}9082236C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.921{8A63456F-1471-6387-0D00-000000009802}9082236C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000395115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:21.506{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3A35E5DEB8314AF9EF12D2563E8899AD,SHA256=9F23FBABFB73178C1DC9D081E03CD668AD2D021E767A300BDD2D53D361EB2905,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:17.971{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50563-false10.0.1.12-8000- 23542300x8000000000000000395113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:21.475{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691DDCE824DF807805A5EB14472B61C1,SHA256=7F490EEEDDE74F661C0CEA38BEA6DEE5600B4151E11FEDD15D7686815FE83DE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.709{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.709{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.708{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.675{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.675{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.675{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.165{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.116{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.082{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.082{8A63456F-2418-6387-9102-000000009802}21201328C:\Windows\Explorer.EXE{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.081{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.081{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.081{8A63456F-2418-6387-9102-000000009802}21201328C:\Windows\Explorer.EXE{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.081{8A63456F-2418-6387-9102-000000009802}21201328C:\Windows\Explorer.EXE{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.080{8A63456F-2418-6387-9102-000000009802}21201328C:\Windows\Explorer.EXE{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.075{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.073{8A63456F-2417-6387-8902-000000009802}50084736C:\Windows\system32\taskhostw.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.072{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e30c0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.072{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ba330|C:\Windows\System32\SHELL32.dll+e307c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.071{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3050|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.071{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.052{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:21.003{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000395116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:22.568{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F516AC5F3EFA08AFD9FA7FCCD99EC025,SHA256=A1DC3F0BDF28C0FCDA7D5195E1C4D431ECC641F48B2EBD2140262F981CE6B613,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:22.924{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000846429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:22.924{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000846428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:22.924{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 354300x8000000000000000846427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:20.556{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54209-false10.0.1.12-8000- 23542300x8000000000000000846426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:22.370{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15065D8978CCC46DC34E57C42ED35F8B,SHA256=A20F5153AF8DCD70F3170EEAF30CD8C993C4613075389ED664252C692B2CED80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:22.370{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37D6B86A16F865C8671BAF602882CB26,SHA256=84108C3F030556462C1B141BB2AF4DDBB4ED513E02BD7C8E3099EDF2EECEEE54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.663{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B9B4DB692728142AFD95C717C94CAC,SHA256=16851971AA0D59CA2183D61BB2F529FE9E2B87AF846B6E33A5CA7D755A0098A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.639{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.636{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.634{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.632{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.631{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.629{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.626{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.625{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.622{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.619{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.617{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.610{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.607{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.601{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.594{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.592{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.577{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000846452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.811{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.810{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.809{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.788{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.775{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.773{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9202-000000009802}592C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.738{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.729{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.717{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.712{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.710{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.708{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.704{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.702{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.699{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.698{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.696{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.695{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.190{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.189{8A63456F-2424-6387-9602-000000009802}4784336C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x8000000000000000846432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.158{8A63456F-1471-6387-0D00-000000009802}9082236C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000846431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:23.015{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44FC827D8E327242203A01484DCAE28,SHA256=2E25E0FA817BD738FF63DFD720505A8374E6D9797B6B0E317021ADC79C5C150D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.568{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.562{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.554{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.547{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.522{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.516{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.510{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.502{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.496{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.489{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.482{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.479{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x8000000000000000395147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:24.632{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4982090AC5B95D21C2CB9139C8D6E31,SHA256=073EE36A375C098968EE607D5811C2C15704745F144120B4FD08C52FE8775E50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:24.279{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:24.264{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:24.264{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-257C-6387-D902-000000009802}6064C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:24.217{8A63456F-1471-6387-0D00-000000009802}9082236C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:24.217{8A63456F-1471-6387-0D00-000000009802}9082236C:\Windows\system32\svchost.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:24.217{8A63456F-1471-6387-0D00-000000009802}9082236C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:24.217{8A63456F-1471-6387-0D00-000000009802}9082236C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000846453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:24.107{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0354C082412D6F6FE03776E266E211B,SHA256=CA3D928A222F5E7D9893BE953E241EC1FE270E380B190602F3C36FC82D4512A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:25.710{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D90209F604B83DD5F971EBA1DD841BF8,SHA256=ABA0F769D35A7FA6819A3EC2870FF2CEC826D0ED1DBAF5D9B36A56F46B51451E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:25.208{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17701D74AF12493401ACDF0AB3C1CC34,SHA256=FEA9D8AFB4F0177C699ADEEC85BEB2B70D17E8BCEEBCDEFF0A0F66B283B55533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:26.811{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83946DEFFD0F6E7848709D36738221E,SHA256=6215D65455EF1F03FD01B9518C241567FF5423677AF01EBF6CF7872E5B45824B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:26.299{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE13E325B4BE0916A859DD8757675D4F,SHA256=45DA757A0BDF01AE2232A200E60779FC407EA72F999A2C185DA0B8C45024DA76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.834{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50564-false10.0.1.12-8000- 354300x8000000000000000395150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:23.007{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:287e:3387:f5ff:fef0win-host-ctus-attack-range-225546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000395149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:26.294{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-070MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:27.905{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B84FC6A0520F4A32E7A242AD2916E5,SHA256=AF1E7D430C03501CC7DBAF17B29D85D422C6006C44724F8619165196F97ECD95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000846464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:25.570{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54210-false10.0.1.12-8000- 23542300x8000000000000000846463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:27.409{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B799368B2FA36A21589566B550FA87D8,SHA256=97DA50AAB3F9E1FAE8904D2A0A9DAC71A6B4168C2DC721B8665BA9506EC711BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:27.305{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-071MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:28.505{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B03AE268DC888C51AEB6B4310068A96,SHA256=8A204EE8AC35343A938C0944D2FB7037CC201CECB13CC769B49116A38B49B8ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:29.597{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918CA8A0FD5432FEBAB7AA86AFC0E6F7,SHA256=F1AFF3F1BEA47E23CA4BB770C8458E7F4AB62E95E7F77F016E7657BE38C450F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:29.006{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0E4118BAE558D34852DA6F6CB89D5D,SHA256=625C4599A83CDF5DF2EF66A2441ED962CEE2BF9BD3D554D6C7B216BA48911ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:30.693{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6FAD6A41A589CC3A4B89940213C5544,SHA256=3FF08B581B131CB6E0606ECE524B24C71AA16B1C377C36768C2AB19D0276B320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:30.096{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17517095E4549F16BD016CD643F2E99B,SHA256=CC2C49710E72A2A29FF699F8E53162132C87AED620FAC09C663C6C0A138EEF06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:31.792{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5872B230719C23D7EC9B6364FD069BB,SHA256=79751FEDC2F3BE0E40FDC54D20A710923515A55274E75DBC906E895C63306F27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:28.971{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50565-false10.0.1.12-8000- 23542300x8000000000000000395157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:31.193{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C865D804E46C3434ED78B5B1DC9DDB8,SHA256=F6079A85EB94546F8722A45835090CFC9753B1D02E44F278D3E02B2ED2C901D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:32.881{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D974103356197A7B5EAFFBCA1C57A0,SHA256=BC62B09AF4A262F23DC07A405170B35CBB775257B92450DF0D04897C63160048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:32.290{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1CD76A2B2A5F5F78AC95063B052C80,SHA256=7F158EE156FFDB57CB11831A3DAE9E1E4E4B7F86692BDD35DE1D377EA976DA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:33.991{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8993971F1E7D3522EA42BDB8C45661B,SHA256=973FBDD17D9F50287D0741C2B9A4FE1E142649A0FB384434317A429315B36212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:33.380{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90F15F7C8F919014F51B6A30BDFFC7B,SHA256=0BB06BEDDDDDA8648D302B0CBEC90ABC51FEC781F82C9722D0646BFD00863AF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:33.127{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:33.127{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:33.127{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:33.127{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e30c0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:33.127{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ba330|C:\Windows\System32\SHELL32.dll+e307c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:33.127{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3050|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:33.127{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000395161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:34.466{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5175226A01C1C4776C7421F48C90776E,SHA256=9D962863003E5C7C38173E20EA9317DA8E526098F4730D69D7400175F655B9E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000846478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:31.543{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54211-false10.0.1.12-8000- 23542300x8000000000000000395162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:35.569{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2DB6C282859904693D387970D67E12,SHA256=7AB15D6DFAA9B11912527AF67554C86C213AA7565F72235A7B65779BB8946DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:35.090{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D44D24F937D4387F638321D38DE1E5,SHA256=3F0D53F89A799C599BA000B81DC9612B949BE50C29FCE52FC9DA777BB210262E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:36.656{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE25BC0F621F4FEE646D7338DC012B3,SHA256=4F108059B5DBEDA9707322E3B539EBC7808B6FC44EFA2C2E70400A95927C7AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:36.184{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7917D39EE7B8984A30DB8430D0B29F8A,SHA256=25E9F855047B6D7CFD766BB7429144A2BACFBF8AE1F34ECB14C7535E093CCDFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:34.803{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50566-false10.0.1.12-8000- 23542300x8000000000000000395165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:37.755{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B803F40FCF7596A87755B4EF2372D9C,SHA256=6BBAD78430BC8878DBAB31648BBB3FA45E47EBF3A0AB3C66C8B33448B4313A51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:37.524{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=37C78C41A19F40F5ACD443B5AC1D56C4,SHA256=0420A9103C3B4402C1BD7199553C0422128E8F07CE03841FED2E35FA01B7ACB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:37.290{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4528D4CECE2730C5E9EBD80F6E807FB0,SHA256=F7CD707CF4577713B3F59B708F06B5831AB416FFE3F932EB5F72E2C339BEF59F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:37.220{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1BE77A6B123D6A616AE474162868D621,SHA256=DF1703EAD6764AFDF13D18FDC5F088EC7E1C3699E6C5ED3D577136C4AA3C347B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:38.957{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D176609A81B64512CE479DC01AB9417,SHA256=5E5D15F5ED679A0E384BEBE30A4A8D0292E56BE23A63D24FC5BF79C7262211C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:38.381{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D68796467D048613343BBED2F8E33D5,SHA256=615F4752AB0F0F19D015FDCDAE1489082C1DC2C1D061C4B92796AE2E47ED761E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:38.350{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=54B9A4F524BDFC23B38ED8FC65FEFE70,SHA256=3809917C29F925689674F99ADA01D9AE614071F79A477AF32D2670854BDC8FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:39.471{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D0D3260574CF4FCCC0702ECEB3F70B,SHA256=DBF66EBFD94B361AE8BDF23B0E8B72EB54BF23B3D7D278B43168EC520222E747,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000846485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:36.608{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54212-false10.0.1.12-8000- 23542300x8000000000000000846519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.956{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-070MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.883{8A63456F-1471-6387-1600-000000009802}12804312C:\Windows\system32\svchost.exe{8A63456F-2590-6387-DA02-000000009802}5920C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.882{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2590-6387-DA02-000000009802}5920C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.875{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2590-6387-DA02-000000009802}5920C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.866{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-2590-6387-DA02-000000009802}5920C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.863{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2590-6387-DA02-000000009802}5920C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.862{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2590-6387-DA02-000000009802}5920C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd52|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.615{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.609{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.598{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.595{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.588{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.585{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.583{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.577{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.568{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.564{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.562{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.559{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 23542300x8000000000000000846500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.553{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A02FB0373B263B43E010ED317715AE7,SHA256=3E894F093423A0C37360CBEEFC0128AAE2093D716C6A18C5BF2E256EEFE9E031,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.528{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.523{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.508{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.501{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.491{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.481{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 23542300x8000000000000000395168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:40.067{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E1275EFB269B911B90D64CD6F157F2,SHA256=BDED90E75C788E5ECB70C5C220BB330B5EC1D999A019A79F2ABA14F1333A50FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.471{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.457{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.449{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.439{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.431{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.391{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:40.389{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 23542300x8000000000000000846537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.959{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-071MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.942{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C960D14E0A95181098DF37953915293B,SHA256=29AA90072B7BA64D600B7CAF53B08549EF240D0D55F31A6D02431C9E834D54AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.926{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.926{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.926{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.926{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e30c0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.926{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ba330|C:\Windows\System32\SHELL32.dll+e307c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.926{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3050|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.926{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000846528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.926{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1B9B299A5DE4320F28E3C0026FC2DE,SHA256=77764CDC47E66B57E5554EAFB5DC4A7FA431D94603A4C314F379F5A07EC93959,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.622{8A63456F-2418-6387-9102-000000009802}21203140C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8fdd|C:\Windows\System32\SHELL32.dll+283bae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000846526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.622{8A63456F-2418-6387-9102-000000009802}21203140C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8fdd|C:\Windows\System32\SHELL32.dll+283bae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 23542300x8000000000000000395169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:41.147{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9F4ABE9A687E0E8C758E31C35C5EDB,SHA256=BB8F6A1032F3C28297ACB29710E6655D460955E7CADE08273EAD1E26CDABCBA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.301{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2590-6387-DA02-000000009802}5920C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.301{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2590-6387-DA02-000000009802}5920C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.301{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2590-6387-DA02-000000009802}5920C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.111{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.047{8A63456F-2418-6387-9102-000000009802}21203140C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8fdd|C:\Windows\System32\SHELL32.dll+283bae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000846520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:41.045{8A63456F-2418-6387-9102-000000009802}21203140C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8fdd|C:\Windows\System32\SHELL32.dll+283bae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 354300x8000000000000000395171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:39.806{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50567-false10.0.1.12-8000- 23542300x8000000000000000395170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:42.227{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DAFDFDF63AA2BD81418EC41DB9CFD9,SHA256=89EE6B1ADC3F9BF4593A830172F9DA30474B144E3F927415BCA86B4A14B13704,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:42.952{8A63456F-2550-6387-D102-000000009802}51805176C:\Windows\system32\conhost.exe{8A63456F-2592-6387-DB02-000000009802}5800C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:42.950{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:42.950{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:42.950{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:42.949{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:42.949{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-2592-6387-DB02-000000009802}5800C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:42.949{8A63456F-2550-6387-D002-000000009802}33005700C:\Windows\system32\cmd.exe{8A63456F-2592-6387-DB02-000000009802}5800C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:42.917{8A63456F-2592-6387-DB02-000000009802}5800C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 10341000x8000000000000000846541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:42.869{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2590-6387-DA02-000000009802}5920C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000846540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:42.869{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2590-6387-DA02-000000009802}5920C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000846539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:42.869{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2590-6387-DA02-000000009802}5920C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 23542300x8000000000000000846538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:42.703{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46450495DA278789128AC3F21EB39C06,SHA256=1009DFDD53A4EF1EFAEF45EF2F492903BA73621DEB914249B999B1ED23E7E32A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000846625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.759{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.759{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B81333EFA74F09109E5C3DE03F393189833ACA4A7ECDCC61163DD8214FF7F2D7falsetrue 10341000x8000000000000000846623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.745{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.745{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.743{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.732{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.721{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 354300x8000000000000000395202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:39.950{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal3389ms-wbt-serverfalse184.105.247.222scan-13g.shadowserver.org43772- 10341000x8000000000000000395201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.638{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.635{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.633{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.631{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.630{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.627{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.626{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.625{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.624{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.620{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.618{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.613{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.610{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.600{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.594{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.592{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.579{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.573{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.565{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.558{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.551{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.526{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.519{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.513{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.501{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.494{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.489{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.487{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.481{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 23542300x8000000000000000395172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:43.331{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39003B4485B656D94748EDDF5A700AF,SHA256=4A6562B5962ADE12006ACD1C3188CE58D3671EFA365FE249943D36E08128F697,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.685{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.682{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8902-000000009802}5008C:\Windows\system32\taskhostw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.679{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.676{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.674{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8502-000000009802}2056C:\Windows\System32\RuntimeBroker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.670{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.665{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.663{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.661{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.658{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.656{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.653{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.652{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.649{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.648{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 11241100x8000000000000000846603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.569{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2022-11-17 09:51:50.314 23542300x8000000000000000846602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.569{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationSHA256=36F0B609457A4892C8EDA2CE3EB61D061DF31526BC4741001F48E788BF63D79Cfalsetrue 11241100x8000000000000000846601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.335{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.335{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=C488D7995C2999B178E3329B4AA76CDA1B208B88373680F6ED08C3DA27CC7576falsetrue 10341000x8000000000000000846599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}9083088C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}9083088C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.160{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.159{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.159{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.159{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.159{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.159{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.159{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.159{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.159{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.159{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.142{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.136{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.062{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.062{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.062{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.043{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000846561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.027{8A63456F-2592-6387-DB02-000000009802}5800C:\Program Files\ansible\sysmon\Sysmon64.exe 16341600x8000000000000000846560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local2022-11-30 09:42:43.024C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=28212C8E95CBD0D37EE7AC3612BA506D3926F7724582CABE2EC2542253124121 13241300x8000000000000000846559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:42:43.022{8A63456F-2592-6387-DB02-000000009802}5800C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x8000000000000000846558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:42:43.022{8A63456F-2592-6387-DB02-000000009802}5800C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x8000000000000000846557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:42:43.022{8A63456F-2592-6387-DB02-000000009802}5800C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x8000000000000000846556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:42:43.022{8A63456F-2592-6387-DB02-000000009802}5800C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000001) 12241200x8000000000000000846555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-DeleteValue2022-11-30 09:42:43.022{8A63456F-2592-6387-DB02-000000009802}5800C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x8000000000000000846554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-DeleteValue2022-11-30 09:42:43.021{8A63456F-2592-6387-DB02-000000009802}5800C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x8000000000000000846553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-DeleteValue2022-11-30 09:42:43.021{8A63456F-2592-6387-DB02-000000009802}5800C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x8000000000000000846552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-DeleteValue2022-11-30 09:42:43.021{8A63456F-2592-6387-DB02-000000009802}5800C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x8000000000000000846551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-DeleteValue2022-11-30 09:42:43.021{8A63456F-2592-6387-DB02-000000009802}5800C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x8000000000000000846550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.020{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2592-6387-DB02-000000009802}5800C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000395203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:44.834{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A564367C958B49C44BAF5A5C8F47004A,SHA256=56AA0A00FECD6E2E0C056FA87795424099BDB453C11D22413BE9EB2F20BE7935,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000846631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:44.844{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:44.844{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=CDB828437E8151F63BC5AB76F069A1476AA27A4F4C96742B26BBC9E75EA9F5B3falsetrue 10341000x8000000000000000846629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:44.392{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:44.392{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:44.389{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:44.389{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000395204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:45.938{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87021A5C5614CA7FAB9FDDDB27A270F2,SHA256=74D089F1DDA3E9CDA5F235B5853518B13C17DF90169F9AAFA7555BCD91D74AF8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000846643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:45.931{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:45.931{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=3F09E943902B89B69B5FEBB55B1C53508F389716EAF5BA4CD30A17D0ACCB4B1Cfalsetrue 534500x8000000000000000846641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:45.900{8A63456F-2590-6387-DA02-000000009802}5920C:\Windows\System32\dllhost.exe 10341000x8000000000000000846640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:45.869{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:45.869{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:45.869{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:45.869{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e30c0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:45.869{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ba330|C:\Windows\System32\SHELL32.dll+e307c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:45.869{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3050|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:45.869{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000846633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:43.136{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A52717- 354300x8000000000000000846632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:42.564{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54213-false10.0.1.12-8000- 10341000x8000000000000000395208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:46.245{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:46.245{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:46.245{E56ECBBF-146E-6387-0B00-000000009902}644536C:\Windows\system32\lsass.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:46.228{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000395210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:44.975{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50568-false10.0.1.12-8000- 23542300x8000000000000000395209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:47.004{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CD27A8512FF670D5B3AD19DC5BB82A,SHA256=9AB898764189AB3F50285FF5A0A2FDF4D0D04333B47C454C1D67FF51D9F91A91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000846645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:47.038{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:47.038{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B4B280B004270E173B8011E73F925744437A9992A801127CFA29029E465302C6falsetrue 23542300x8000000000000000395211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:48.099{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE8CFB78F6DBB99A872F376FFC740E7,SHA256=B86A3D33F84D94115817FD3FA858DC942EB643E39B062676C2FDBC24DF03089C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000846647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:48.131{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:48.131{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=598B6B29985B673F5C77366ED51084AEC262D42126D18DE3B84488D0E8A1BDB7falsetrue 354300x8000000000000000846650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:47.575{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54214-false10.0.1.12-8000- 11241100x8000000000000000846649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:49.222{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:49.222{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=431F0BF68ADC2196BD8C6ACC89A75D67151F9CCAF3B19A7DA4C11856733F14B6falsetrue 10341000x8000000000000000395227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.845{E56ECBBF-2599-6387-A202-000000009902}22281760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000395226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.845{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.704{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2599-6387-A202-000000009902}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.704{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.704{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.704{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.704{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.704{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.704{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.704{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.704{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.704{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.704{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-2599-6387-A202-000000009902}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.704{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2599-6387-A202-000000009902}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.705{E56ECBBF-2599-6387-A202-000000009902}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:49.209{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CFA46FFB829588FA6D96C89693C103A,SHA256=7C0F3E292FE71952FBF69B0A49BC37F04BF168CEB3C4BA28610A7FBAD8081990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.743{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7EC11AFCBFDA34F82555B03B31F3E3A,SHA256=EA52635C19FADAFC1491219BF50F3DAE624085388B5BC9FF61799059BD7FAFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.633{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8ED9C301200967869E174DA2CC034560,SHA256=5B7E1CD828B49A7931038D0A85252ABC8662E9AFE58C2684B62F60D7AF103969,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.318{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-259A-6387-A302-000000009902}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.318{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.318{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.318{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.318{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.318{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.318{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.318{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.318{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.318{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.318{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-259A-6387-A302-000000009902}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.318{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-259A-6387-A302-000000009902}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.320{E56ECBBF-259A-6387-A302-000000009902}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.303{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C357AC4FF62BA282A6307D91883EDAC,SHA256=BAD784C24FE13AB7DE9FB52CB00FA2D098D358B8E2FC6346AB4B4E468D95834F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:50.501{8A63456F-1471-6387-0D00-000000009802}9083088C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000846652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:50.313{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:50.313{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=67C8FFFC243D8D0A599EAE484F50BE0E85908338FD4C94AC05F126408EB30897falsetrue 23542300x8000000000000000395259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:51.907{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1523476C0CBC832B9827310B882B459B,SHA256=ABB8F1BA20D84E3128315560FC5F276BBC31740D96DB818C340E7D37F486F8C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:48.580{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50569-false10.0.1.12-8089- 23542300x8000000000000000395257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:51.750{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9691F0615A2BDDB121547F18A2DADC5E,SHA256=1BFBC03E78F51CEF8AAC57C11D45B013FF3478C42033445009FC8A90277E6FF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000846655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:51.395{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:51.395{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=15AA901F7E58FC8C7BB75B5126AA2F454BEA595B65C14070F02309299C18E2FCfalsetrue 10341000x8000000000000000395256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:51.131{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-259B-6387-A402-000000009902}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:51.131{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:51.131{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:51.131{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:51.131{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:51.131{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:51.131{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:51.131{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:51.131{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:51.131{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:51.131{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-259B-6387-A402-000000009902}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:51.131{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-259B-6387-A402-000000009902}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:51.132{E56ECBBF-259B-6387-A402-000000009902}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:52.808{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D3F158615D0A522F45B948C2A8147A,SHA256=993517AA9350888076ED2A8695C5B760D925A1FB52C7CBA7D21E2AEE3865B845,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000846657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:52.497{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:52.497{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=8371218A2994E6542D149D459CB99167B4C30A43D6D4687FA12CD07C35B1FD58falsetrue 23542300x8000000000000000395279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.928{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59857EB77302127C84EF969EC9E7D19,SHA256=488E4D69B0A771FDD2DFE116D40BB9DFC0F3DBD6B0807C3C3AB9AA12C66007E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:50.787{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50570-false10.0.1.12-8000- 11241100x8000000000000000846661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:53.592{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:53.592{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=F2FFAFBD3E38687123BFDC4776153A6A2CB1562DAC8B6FC71C70A058120472D3falsetrue 10341000x8000000000000000395277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.741{E56ECBBF-259D-6387-A502-000000009902}39161456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.625{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-259D-6387-A502-000000009902}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000395275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.624{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-259D-6387-A502-000000009902}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000395274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.624{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-259D-6387-A502-000000009902}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000395273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.578{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-259D-6387-A502-000000009902}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.578{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.578{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.578{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.578{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.578{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.578{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.578{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.578{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.578{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.578{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-259D-6387-A502-000000009902}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.578{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-259D-6387-A502-000000009902}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:53.579{E56ECBBF-259D-6387-A502-000000009902}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000846659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:53.018{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-11-17 09:52:52.240 23542300x8000000000000000846658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:53.017{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlSHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894falsetrue 10341000x8000000000000000395306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.940{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-259E-6387-A702-000000009902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.940{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.940{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.940{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.940{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.940{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.940{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.940{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.940{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.940{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.940{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-259E-6387-A702-000000009902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.940{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-259E-6387-A702-000000009902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.941{E56ECBBF-259E-6387-A702-000000009902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000846663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:54.685{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:54.685{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=4840035689F96BB6393EC0E6AFDD271CA49A1BA2C15DA0C8851D1063DC1081B2falsetrue 10341000x8000000000000000395293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.448{E56ECBBF-259E-6387-A602-000000009902}1892984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.261{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-259E-6387-A602-000000009902}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.261{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.261{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.261{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.261{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.261{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.261{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.261{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.261{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.261{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.261{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-259E-6387-A602-000000009902}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.261{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-259E-6387-A602-000000009902}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:54.261{E56ECBBF-259E-6387-A602-000000009902}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.983{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=503AD1353ECAEDF378BF3A88FB8F0B41,SHA256=4133F87B94BFDBDB81EE067349E8895D3165722C6F75781089CF60F233F8CC18,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000846667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:55.776{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:55.776{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=7137B0177F49801339D740BCECEBB3025A63F8EBA8261260014175EECF7BC278falsetrue 10341000x8000000000000000395321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.779{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-259F-6387-A802-000000009902}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.779{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.779{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-259F-6387-A802-000000009902}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.779{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-259F-6387-A802-000000009902}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.780{E56ECBBF-259F-6387-A802-000000009902}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000395308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.084{E56ECBBF-259E-6387-A702-000000009902}996408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000395307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.022{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD18C68A4339D639A51A23FAC4F977F,SHA256=B6249A47C7B2B28C9481876CC31590DCDED159F05439FFDC26FFC08AB426A073,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000846665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:52.682{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54216-false10.0.1.12-8000- 354300x8000000000000000846664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:52.447{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54215-false10.0.1.12-8089- 11241100x8000000000000000846669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:56.869{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:56.869{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B9DDA3DC42C076F9B6CD4F308E058E57E0CA251997B59F6231E273A32AC1DDA9falsetrue 23542300x8000000000000000395323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:56.334{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978925FDC17A780DF87BA48E61194756,SHA256=E144E8D77989FB96F14A95FC3FEFD979A1861C6BDD759A535513FD14691BE3BE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000846671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:57.962{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:57.962{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=4D393A6D28EE2CECBEBC1F384FA630443B76AA210D48E1FBD970369F72AD627Dfalsetrue 23542300x8000000000000000395324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:57.084{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03306D1853D7EA41231CCC705C7FC49A,SHA256=63E9A88584E06609B1A406BCA4BC8AD24AC6298766B9D80014734B1039B089C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:58.184{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497F3BFA1ED2EC314F619CFB6D926845,SHA256=5C5F99955F334217C010B5FD97D00DBC012CF19D7C6F23045F8BA90F8EB23DC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:59.276{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=538FE9E82518D0C59EE7A29F4708D9B4,SHA256=EA2A6808A8495163105CE47E890BBA75358D023F4C696672241198D25E38817D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:42:55.942{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50571-false10.0.1.12-8000- 11241100x8000000000000000846673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:59.057{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:59.057{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=2DD1312D177B9B17EE8F61185B4E17E7A6C5371A959D965A74569388A07685F9falsetrue 23542300x8000000000000000395328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:00.347{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD7EF5586C136F7049E86B8F46AEB39,SHA256=534E3D2CADED3BA3D935036071F39F0EFB28CD601F7C4D5C32D42A9DE0507A67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000846701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.608{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.602{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.595{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.591{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.581{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.579{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.577{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.570{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.561{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.558{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.555{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.550{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.518{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.506{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.491{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.486{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.478{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.466{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.458{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.447{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 354300x8000000000000000846681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:42:58.593{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54217-false10.0.1.12-8000- 10341000x8000000000000000846680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.439{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.429{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.420{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.377{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.374{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 11241100x8000000000000000846675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.158{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:00.158{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B3CFCF05DDD8644AE01E7F34CDB5B103F2BC1D9F32043854B698284726A50645falsetrue 23542300x8000000000000000395329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:01.443{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EFB34A00BF655CA74AB7E3BDA8E9BEB,SHA256=92E5E795BF324AFFA462EC30FF1078AB312B4866E100CF33F217DE302439D27B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000846704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:01.267{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:01.267{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=D848B7A3E96F9F68D20BB137488EC2E4026C6231F41FBEDDD23CDB0135B1BDDBfalsetrue 10341000x8000000000000000846702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:01.017{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 23542300x8000000000000000395330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:02.538{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0C5B89244E4F500A1BCD245FD9EDAE,SHA256=95850B64B06034ED1276A1FC10D803C2F0EC355AC1ECDE0EEE04CD673551337B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000846706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:02.397{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:02.397{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=ECBCE272A4ABAC943D975C68F7F16C05BBE6227853202F7D92C021558AF521ECfalsetrue 10341000x8000000000000000395360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.697{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.693{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.690{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.687{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.686{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.682{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.681{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.678{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.674{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.669{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.667{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.656{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.653{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.643{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.637{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.634{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 23542300x8000000000000000395344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.624{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C3FBFCB120408DE814EBF7DE2A88B6,SHA256=3A822E3CBBAAB50642528EA09617B83498FFF1EBA3170C53EC377B1DDD9621C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.617{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.607{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.598{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.588{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.577{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.546{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000846731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.696{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.696{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.692{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.678{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.666{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.612{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.609{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8902-000000009802}5008C:\Windows\system32\taskhostw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.606{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.601{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.599{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8502-000000009802}2056C:\Windows\System32\RuntimeBroker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 11241100x8000000000000000846721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.598{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-11-30 09:43:03.597 10341000x8000000000000000846720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.594{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.588{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.587{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.583{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.582{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.578{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.574{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.573{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.571{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.570{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 11241100x8000000000000000846710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.475{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.475{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=0D47EE7C3E5993F7D87216396AC4D99301B1488C9989F0FD154978D5DB6017FDfalsetrue 10341000x8000000000000000395337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.531{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.527{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.519{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.513{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.505{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.496{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:03.490{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000846708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.056{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000846707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:03.054{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 23542300x8000000000000000395361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:04.614{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D78290A1DFFA7C275D2BCCA2E6A34E,SHA256=49947D701320D89D4CA4114D1FA63B1A39A391C5CC08F3D0541D343F9B5AC4EF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000846733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:04.551{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:04.551{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=290478EB0D406916E3EC0E48753FA332C4DE9C3A0587744197B187BD625B90EBfalsetrue 10341000x8000000000000000846752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.993{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25A9-6387-DD02-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.993{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25A9-6387-DD02-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.993{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25A9-6387-DD02-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.993{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25A9-6387-DD02-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.993{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25A9-6387-DD02-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.993{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25A9-6387-DD02-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 11241100x8000000000000000846746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.967{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-11-17 09:52:17.849 23542300x8000000000000000846745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.967{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecuritySHA256=BD21655848408B2F76889B16DC3734B3C1652B4B2422B73333195D151EC0F2E3falsetrue 10341000x8000000000000000846744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.864{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-25A9-6387-DD02-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.864{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-25A9-6387-DD02-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.864{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-25A9-6387-DD02-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.740{8A63456F-25A9-6387-DD02-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000846740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.645{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.645{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=0FEFA766D3A352E0607BD43155EB2D228C63714D0C3CDDB3F0A90D3E429A2ACAfalsetrue 23542300x8000000000000000395363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:05.712{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD0873192EC370846B3A192561BD357,SHA256=90B383918327AF39C8C4CBAFF9F16BF3D66FD812658F20AA66294134C25FC2DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:01.838{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50572-false10.0.1.12-8000- 534500x8000000000000000846738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.380{8A63456F-25A8-6387-DC02-000000009802}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 10341000x8000000000000000846737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.083{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-25A8-6387-DC02-000000009802}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.067{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-25A8-6387-DC02-000000009802}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.067{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-25A8-6387-DC02-000000009802}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:04.915{8A63456F-25A8-6387-DC02-000000009802}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:06.787{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFA6DAB1BE5FA9E179521D355DD6893,SHA256=C56AC9E1E3376313F19DFA9E2F3855C401AFCD6AAD33F610DB775533FCE1AB3F,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000846770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.795{8A63456F-25AA-6387-DE02-000000009802}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000846769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.780{8A63456F-25AA-6387-DE02-000000009802}53805364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000846768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.729{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logSHA256=68FAB5AD712E62D47F674DA38C6A55F0B91F459B6275C4F0BAAAE5EFA405C4BBfalsetrue 354300x8000000000000000846767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:04.574{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54218-false10.0.1.12-8000- 10341000x8000000000000000846766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.541{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-25AA-6387-DE02-000000009802}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.541{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-25AA-6387-DE02-000000009802}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.541{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-25AA-6387-DE02-000000009802}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.355{8A63456F-25AA-6387-DE02-000000009802}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000846762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.213{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e3745|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.213{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e365e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.213{8A63456F-2418-6387-9102-000000009802}21204996C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3627|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+6d7f7|C:\Windows\System32\windows.storage.dll+6c57f|C:\Windows\System32\windows.storage.dll+19e74f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.213{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e231f|C:\Windows\System32\SHELL32.dll+e30c0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.213{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ba330|C:\Windows\System32\SHELL32.dll+e307c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.213{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e2574|C:\Windows\System32\SHELL32.dll+e3050|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.213{8A63456F-2418-6387-9102-000000009802}21204752C:\Windows\Explorer.EXE{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000846755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.151{8A63456F-25A9-6387-DD02-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 11241100x8000000000000000846754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.073{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2022-11-17 09:51:50.314 23542300x8000000000000000846753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:06.073{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationSHA256=0F00F86E61EABB471867F65FA522C8D18B93D34EB587AA67F24666887791369Dfalsetrue 11241100x8000000000000000846787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:07.826{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:07.826{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=8102BB54B0176F608BC9455585F3D6A7EF9F28D0E5B737A145F5996D84D10361falsetrue 23542300x8000000000000000395365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:07.874{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6B3B68E1E6CFEA57B70A82BA8AE1CD,SHA256=E891EDC6B76E22CEDC9D20068DF797279623D3FD1B87451FCB445135AEFEBFAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000846785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.892{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54219-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000846784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:05.892{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54219-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 11241100x8000000000000000846783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:07.217{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:07.217{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=CF32253408EFD2EB1E9784BA141E1A6E6A007A54F9B903B2E738DE77D82CA992falsetrue 10341000x8000000000000000846781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:07.029{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:07.029{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:07.029{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:07.029{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:07.029{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:07.027{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:07.027{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:07.027{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:07.027{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:07.025{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:07.024{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000395366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:08.963{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F235F310925B38EF20F3D6E1CAF0CFB1,SHA256=56D4B0115B40B98D8BE71BC3E09ECE7D5949A70ED1077424A538E4DB23D2B903,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000846795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:08.914{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:08.914{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=856883DE47908A5A9D3FEAF885C35CB0B1B7581A3BC3AE7F892E69EF55F1F762falsetrue 534500x8000000000000000846793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:08.852{8A63456F-25AC-6387-DF02-000000009802}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x8000000000000000846792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:08.852{8A63456F-25AC-6387-DF02-000000009802}46082068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:08.572{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-25AC-6387-DF02-000000009802}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:08.555{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-25AC-6387-DF02-000000009802}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:08.555{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-25AC-6387-DF02-000000009802}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:08.446{8A63456F-25AC-6387-DF02-000000009802}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000846805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:09.916{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-25AD-6387-E102-000000009802}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:09.916{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-25AD-6387-E102-000000009802}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:09.916{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-25AD-6387-E102-000000009802}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:09.916{8A63456F-25AD-6387-E102-000000009802}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000395367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:06.870{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50573-false10.0.1.12-8000- 534500x8000000000000000846801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:09.650{8A63456F-25AD-6387-E002-000000009802}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 10341000x8000000000000000846800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:09.650{8A63456F-25AD-6387-E002-000000009802}45245504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:09.416{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-25AD-6387-E002-000000009802}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:09.416{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-25AD-6387-E002-000000009802}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:09.416{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-25AD-6387-E002-000000009802}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:09.307{8A63456F-25AD-6387-E002-000000009802}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000846817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:10.968{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:10.968{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=A9E21AF117669B52EE660A6BA177827CF98A089D631F28E46C485293A0A75EB0falsetrue 23542300x8000000000000000395368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:10.068{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF797147CC547DD245D4868DBF98D89,SHA256=37C4BBC014945DCE8DA07527076535D4857305A5330EEE54DA8F94C18DD4246E,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000846815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:10.138{8A63456F-25AD-6387-E102-000000009802}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x8000000000000000846814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:10.138{8A63456F-25AD-6387-E102-000000009802}52005240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:10.106{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AD-6387-E102-000000009802}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:10.106{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AD-6387-E102-000000009802}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:10.106{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AD-6387-E102-000000009802}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:10.105{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AD-6387-E102-000000009802}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:10.105{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AD-6387-E102-000000009802}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:10.105{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AD-6387-E102-000000009802}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 11241100x8000000000000000846807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:10.012{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:10.012{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=820B3F5597EE0A940681F1E7E4744047C535F5767626A7A51FE0DB05EB433B07falsetrue 23542300x8000000000000000395369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:11.151{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F401F4074C290592C15F69E92803AF,SHA256=7164417DE6C3A5216814F8E4746FF1E16DFF11B613F51CE6BEA257278387467F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000846879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.983{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\disk.PNF2017-09-13 12:23:31.817 23542300x8000000000000000846878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.983{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\disk.PNFSHA256=DCC29602D87E107F4D8C70A7EA47F9E9B575EF52FE076EFAC9A56B2799957DD7falsetrue 11241100x8000000000000000846877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.968{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\compositebus.PNF2016-09-12 11:34:06.325 23542300x8000000000000000846876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.968{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\compositebus.PNFSHA256=7C620C3280541CCB45BF9D7D2824524B21E186DDD7C06149DD47C13BA5348514falsetrue 11241100x8000000000000000846875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.936{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\cpu.PNF2022-11-10 12:10:16.226 23542300x8000000000000000846874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.936{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\cpu.PNFSHA256=7E69A09C75743FDF432CFEC639261860738B8DCDC4EFF44953D7EA2D53C2FDA8falsetrue 11241100x8000000000000000846873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.921{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\acpi.PNF2018-07-11 03:43:13.996 23542300x8000000000000000846872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.921{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\acpi.PNFSHA256=CAD38BB1115E81DFE7488988369311669B99E334C66906ED7330FBB0EDEAA641falsetrue 10341000x8000000000000000846871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.905{8A63456F-25AF-6387-E902-000000009802}5600536C:\Windows\system32\conhost.exe{8A63456F-25AF-6387-EA02-000000009802}5772C:\Windows\SysWOW64\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.890{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-25AF-6387-EA02-000000009802}5772C:\Windows\SysWOW64\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.890{8A63456F-25AF-6387-E702-000000009802}51883948C:\Windows\SysWOW64\net.exe{8A63456F-25AF-6387-EA02-000000009802}5772C:\Windows\SysWOW64\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9428(wow64)|C:\Windows\System32\KERNELBASE.dll+d810c(wow64)|C:\Windows\SysWOW64\net.exe+302f|C:\Windows\SysWOW64\net.exe+2b5b|C:\Windows\SysWOW64\net.exe+2487|C:\Windows\SysWOW64\net.exe+2159|C:\Windows\SysWOW64\net.exe+328f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000846868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.897{8A63456F-25AF-6387-EA02-000000009802}5772C:\Windows\SysWOW64\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 stop MSSQLSERVERC:\Temp\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighSHA256=756F45004C4E80B3D3B9A1695ADA3F0C46EFEDE53A16EA29E5C8AE7DD2B568DE{8A63456F-25AF-6387-E702-000000009802}5188C:\Windows\SysWOW64\net.exeC:\Windows\System32\net.exe stop MSSQLSERVER 10341000x8000000000000000846867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.890{8A63456F-1471-6387-1200-000000009802}7765452C:\Windows\System32\svchost.exe{8A63456F-25AF-6387-EA02-000000009802}5772C:\Windows\SysWOW64\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000846866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.874{8A63456F-25AF-6387-E602-000000009802}5644C:\Windows\System32\conhost.exe 534500x8000000000000000846865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.874{8A63456F-25AF-6387-E802-000000009802}5228C:\Windows\System32\conhost.exe 534500x8000000000000000846864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.874{8A63456F-25AF-6387-E502-000000009802}5208C:\Windows\SysWOW64\reg.exe 534500x8000000000000000846863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.874{8A63456F-25AF-6387-E402-000000009802}5656C:\Windows\SysWOW64\reg.exe 10341000x8000000000000000846862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.858{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-25AF-6387-E202-000000009802}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.858{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-25AF-6387-E202-000000009802}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.858{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-25AF-6387-E202-000000009802}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.748{8A63456F-25AF-6387-E202-000000009802}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000846858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.858{8A63456F-1471-6387-1600-000000009802}12801452C:\Windows\system32\svchost.exe{8A63456F-25AF-6387-E902-000000009802}5600C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.858{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-25AF-6387-E902-000000009802}5600C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.858{8A63456F-25AF-6387-E902-000000009802}5600536C:\Windows\system32\conhost.exe{8A63456F-25AF-6387-E702-000000009802}5188C:\Windows\SysWOW64\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.843{8A63456F-1471-6387-1600-000000009802}12804312C:\Windows\system32\svchost.exe{8A63456F-25AF-6387-E802-000000009802}5228C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.843{8A63456F-1471-6387-1600-000000009802}12801452C:\Windows\system32\svchost.exe{8A63456F-25AF-6387-E602-000000009802}5644C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.843{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-25AF-6387-E602-000000009802}5644C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.843{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-25AF-6387-E802-000000009802}5228C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.843{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-25AF-6387-E902-000000009802}5600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.843{8A63456F-25AF-6387-E802-000000009802}52285568C:\Windows\system32\conhost.exe{8A63456F-25AF-6387-E402-000000009802}5656C:\Windows\SysWOW64\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.843{8A63456F-25AF-6387-E602-000000009802}56442424C:\Windows\system32\conhost.exe{8A63456F-25AF-6387-E502-000000009802}5208C:\Windows\SysWOW64\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.849{8A63456F-25AF-6387-E902-000000009802}5600C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighSHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{8A63456F-25AF-6387-E702-000000009802}5188C:\Windows\SysWOW64\net.exeC:\Windows\System32\net.exe stop MSSQLSERVER 10341000x8000000000000000846847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.843{8A63456F-1471-6387-1200-000000009802}7765452C:\Windows\System32\svchost.exe{8A63456F-25AF-6387-E902-000000009802}5600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000846846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.843{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exeC:\README2022-11-30 09:43:11.843 10341000x8000000000000000846845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.843{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-25AF-6387-E702-000000009802}5188C:\Windows\SysWOW64\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.827{8A63456F-25AF-6387-E302-000000009802}48203528C:\Temp\prestige_ransomware.exe{8A63456F-25AF-6387-E702-000000009802}5188C:\Windows\SysWOW64\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9428(wow64)|C:\Windows\System32\KERNELBASE.dll+d810c(wow64)|C:\Temp\prestige_ransomware.exe+5a3f|C:\Temp\prestige_ransomware.exe+5abc|C:\Temp\prestige_ransomware.exe+11a8d|C:\Temp\prestige_ransomware.exe+408ca|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000846843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.840{8A63456F-25AF-6387-E702-000000009802}5188C:\Windows\SysWOW64\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exeC:\Windows\System32\net.exe stop MSSQLSERVERC:\Temp\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighSHA256=42C289E1F976730A0325C0D1A293437502BEF55935F08F258F81B89CF59ABD25{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe"C:\Temp\prestige_ransomware.exe" 10341000x8000000000000000846842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.827{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-25AF-6387-E802-000000009802}5228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.827{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-25AF-6387-E602-000000009802}5644C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000846840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.840{8A63456F-25AF-6387-E802-000000009802}5228C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighSHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{8A63456F-25AF-6387-E402-000000009802}5656C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKCR\.enc /ve /t REG_SZ /d enc /f 10341000x8000000000000000846839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.827{8A63456F-1471-6387-1200-000000009802}7765452C:\Windows\System32\svchost.exe{8A63456F-25AF-6387-E802-000000009802}5228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.827{8A63456F-1471-6387-1200-000000009802}7765452C:\Windows\System32\svchost.exe{8A63456F-25AF-6387-E702-000000009802}5188C:\Windows\SysWOW64\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.838{8A63456F-25AF-6387-E602-000000009802}5644C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighSHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{8A63456F-25AF-6387-E502-000000009802}5208C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKCR\enc\shell\open\command /ve /t REG_SZ /d "C:\Windows\Notepad.exe C:\Users\Public\README" /f 10341000x8000000000000000846836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.827{8A63456F-1471-6387-1200-000000009802}7765452C:\Windows\System32\svchost.exe{8A63456F-25AF-6387-E602-000000009802}5644C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.827{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-25AF-6387-E502-000000009802}5208C:\Windows\SysWOW64\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.827{8A63456F-1471-6387-1200-000000009802}7765452C:\Windows\System32\svchost.exe{8A63456F-25AF-6387-E502-000000009802}5208C:\Windows\SysWOW64\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.827{8A63456F-25AF-6387-E302-000000009802}48203528C:\Temp\prestige_ransomware.exe{8A63456F-25AF-6387-E502-000000009802}5208C:\Windows\SysWOW64\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9428(wow64)|C:\Windows\System32\KERNELBASE.dll+d810c(wow64)|C:\Temp\prestige_ransomware.exe+5a3f|C:\Temp\prestige_ransomware.exe+112f3|C:\Temp\prestige_ransomware.exe+11a6a|C:\Temp\prestige_ransomware.exe+408ca|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000846832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.833{8A63456F-25AF-6387-E502-000000009802}5208C:\Windows\SysWOW64\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\System32\reg.exe add HKCR\enc\shell\open\command /ve /t REG_SZ /d "C:\Windows\Notepad.exe C:\Users\Public\README" /fC:\Temp\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighSHA256=CBB9F8D012CB0AF2CA87AC74ABB5C77A7743C64697C8D92104D3EBA27A699AB0{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe"C:\Temp\prestige_ransomware.exe" 10341000x8000000000000000846831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.827{8A63456F-2414-6387-7E02-000000009802}4328992C:\Windows\system32\csrss.exe{8A63456F-25AF-6387-E402-000000009802}5656C:\Windows\SysWOW64\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.827{8A63456F-25AF-6387-E302-000000009802}48203528C:\Temp\prestige_ransomware.exe{8A63456F-25AF-6387-E402-000000009802}5656C:\Windows\SysWOW64\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9428(wow64)|C:\Windows\System32\KERNELBASE.dll+d810c(wow64)|C:\Temp\prestige_ransomware.exe+5a3f|C:\Temp\prestige_ransomware.exe+112d3|C:\Temp\prestige_ransomware.exe+11a6a|C:\Temp\prestige_ransomware.exe+408ca|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000846829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.828{8A63456F-25AF-6387-E402-000000009802}5656C:\Windows\SysWOW64\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\System32\reg.exe add HKCR\.enc /ve /t REG_SZ /d enc /fC:\Temp\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighSHA256=CBB9F8D012CB0AF2CA87AC74ABB5C77A7743C64697C8D92104D3EBA27A699AB0{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe"C:\Temp\prestige_ransomware.exe" 10341000x8000000000000000846828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.827{8A63456F-1471-6387-1200-000000009802}7765452C:\Windows\System32\svchost.exe{8A63456F-25AF-6387-E402-000000009802}5656C:\Windows\SysWOW64\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000846827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.811{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exeC:\Users\Public\README2022-11-30 09:43:11.811 10341000x8000000000000000846826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.811{8A63456F-1471-6387-1200-000000009802}7765452C:\Windows\System32\svchost.exe{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.796{8A63456F-1471-6387-1200-000000009802}7764200C:\Windows\System32\svchost.exe{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.796{8A63456F-1471-6387-1200-000000009802}7764200C:\Windows\System32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.780{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.780{8A63456F-2418-6387-9102-000000009802}21206028C:\Windows\Explorer.EXE{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a198f|C:\Windows\System32\windows.storage.dll+a1605|C:\Windows\System32\windows.storage.dll+a10f6|C:\Windows\System32\windows.storage.dll+a2568|C:\Windows\System32\windows.storage.dll+a0f1e|C:\Windows\System32\windows.storage.dll+a3abd|C:\Windows\System32\windows.storage.dll+a41fc|C:\Windows\System32\windows.storage.dll+a3560|C:\Windows\System32\windows.storage.dll+923aa|C:\Windows\System32\windows.storage.dll+92106|C:\Windows\System32\SHELL32.dll+4ca19|C:\Windows\System32\SHELL32.dll+4b5c6|C:\Windows\System32\SHELL32.dll+6d139|C:\Windows\System32\SHELL32.dll+e7e5e|C:\Windows\System32\SHELL32.dll+1542dc|C:\Windows\System32\SHELL32.dll+154033|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000846821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.789{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe-----"C:\Temp\prestige_ransomware.exe" C:\Temp\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighSHA256=5FC44C7342B84F50F24758E39C8848B2F0991E8817EF5465844F5F2FF6085A57{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000846820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:09.597{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54220-false10.0.1.12-8000- 11241100x8000000000000000846819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.034{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-11-17 09:52:17.849 23542300x8000000000000000846818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.034{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecuritySHA256=8EE3C071C4EDA8A4CE552A6986DA6522A8F76D1507D2260140605E7D950D1D8Dfalsetrue 23542300x8000000000000000395370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:12.241{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97EA48A39F41A34ABC84DDF8A1B5BF4B,SHA256=142BA0EE11614CB3531BD1B8CD73A726AF4B019A6E76F3423B29FF4390BE2E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000846969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.918{8A63456F-25AF-6387-E302-000000009802}4820ATTACKRANGE\AdministratorC:\Temp\prestige_ransomware.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\rawdata\2342085249.oldSHA256=01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546Bfalsefalse - shredded file with pattern 0x0a 23542300x8000000000000000846968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.918{8A63456F-25AF-6387-E302-000000009802}4820ATTACKRANGE\AdministratorC:\Temp\prestige_ransomware.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\rawdata\2342085249.oldSHA256=01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546Bfalsefalse - shredded file with pattern 0x0a 10341000x8000000000000000846967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.751{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000846966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.751{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000846965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.751{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 11241100x8000000000000000846964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.642{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.642{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=F64495185208E0C39BC176DA6C16E6FA5BE689A64DECD09FD3311A1924DC57C1falsetrue 11241100x8000000000000000846962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.567{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.567{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=DF0A29F04CAAA6EFBAC163DC1B3EC923C2512AA58BA5AF779D880F49A50CA4DFfalsetrue 534500x8000000000000000846960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.548{8A63456F-25AF-6387-E902-000000009802}5600C:\Windows\System32\conhost.exe 534500x8000000000000000846959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.546{8A63456F-25AF-6387-E702-000000009802}5188C:\Windows\SysWOW64\net.exe 534500x8000000000000000846958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.544{8A63456F-25AF-6387-EA02-000000009802}5772C:\Windows\SysWOW64\net1.exe 11241100x8000000000000000846957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.501{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\volume.PNF2016-09-12 11:34:11.653 23542300x8000000000000000846956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.501{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\volume.PNFSHA256=14960E29FD2963850DBB6ECC33E185895FCDB869652F4AD0EA70B5730730024Cfalsetrue 11241100x8000000000000000846955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.485{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\volmgr.PNF2021-04-14 05:15:15.532 23542300x8000000000000000846954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.485{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\volmgr.PNFSHA256=B6CA90FFAE05B6F9771839BED34200E463AD7641E0710E6DE283481C5C42D530falsetrue 11241100x8000000000000000846953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.473{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\vdrvroot.PNF2018-01-06 00:20:25.761 23542300x8000000000000000846952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.472{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\vdrvroot.PNFSHA256=4DABDF47ED9037C7044C476BD0F00A0599B05FA1859AD967604653A4C7E5EC27falsetrue 11241100x8000000000000000846951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.437{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\umbus.PNF2016-09-12 11:34:11.247 23542300x8000000000000000846950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.437{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\umbus.PNFSHA256=84A0EA0DB3ACC7CB74786B59B0CD9C0B7DB753C3BF0325A9BEB5716DE805919Dfalsetrue 11241100x8000000000000000846949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.423{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\nettun.PNF2016-10-18 01:59:49.897 23542300x8000000000000000846948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.422{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\nettun.PNFSHA256=D7953FD291614A41E1C82BB1BAB9E1B49EA0B8BDF5B730900DE4D5EE3F74C9F8falsetrue 11241100x8000000000000000846947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.408{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\termmou.PNF2022-11-17 08:41:29.624 23542300x8000000000000000846946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.408{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\termmou.PNFSHA256=405DFAECE17F03F9BD0AF949041B7965C2DE5F759DF7F04F39D25FDCF19D3B0Bfalsetrue 10341000x8000000000000000846945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.401{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-EA02-000000009802}5772C:\Windows\SysWOW64\net1.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.400{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-EA02-000000009802}5772C:\Windows\SysWOW64\net1.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.400{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-EA02-000000009802}5772C:\Windows\SysWOW64\net1.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 11241100x8000000000000000846942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.398{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\swenum.PNF2016-09-12 11:34:09.887 23542300x8000000000000000846941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.397{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\swenum.PNFSHA256=3E5754186B921677D189929DC4D1C3F40E9249E43B1CD77A1EC2DF9BABA271A7falsetrue 11241100x8000000000000000846940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.386{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\spaceport.PNF2021-10-13 05:18:00.644 23542300x8000000000000000846939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.386{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\spaceport.PNFSHA256=34B68BB4D4072451488F7B8D5987BA2ED8055DACFAAB1BE5C66FC7BBB36A98D2falsetrue 11241100x8000000000000000846938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.377{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2022-11-17 09:51:50.314 23542300x8000000000000000846937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.377{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationSHA256=5AAC97E41761D023CF43D890E1F2904D1605762EB5CBB34B07F15E8386CD13A2falsetrue 11241100x8000000000000000846936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.369{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\rdpbus.PNF2016-09-12 11:34:08.341 23542300x8000000000000000846935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.369{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\rdpbus.PNFSHA256=1577B656BD0AB8A29F52D03CB800D5342D4FFF8AF17BE653FCD85CB2FC2BBB04falsetrue 11241100x8000000000000000846934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.332{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\pci.PNF2021-07-14 05:16:21.589 23542300x8000000000000000846933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.331{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\pci.PNFSHA256=C3C556B6642FA27B2177116CDC7686DF57E5D31ED2328EBA7E2FE652351DD9CFfalsetrue 11241100x8000000000000000846932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.320{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\msports.PNF2016-09-12 11:34:07.934 23542300x8000000000000000846931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.320{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\msports.PNFSHA256=0D5B23DB1EE896CA11E9E6931CC1716EE47C9EF3EFC3A97A1B839BB5154C1662falsetrue 11241100x8000000000000000846930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.296{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\mssmbios.PNF2016-09-12 11:34:07.653 23542300x8000000000000000846929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.296{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\mssmbios.PNFSHA256=50BCF6A0D21E470489901B7CC91DF7092771183116B683C55EB1952F12B7EA86falsetrue 11241100x8000000000000000846928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.281{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\msmouse.PNF2016-09-12 11:34:07.106 23542300x8000000000000000846927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.278{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\msmouse.PNFSHA256=AA98A22417C3635D8EF17FA7687AD24B2CA25FAD30AD5D95946F6DA09D10FEDDfalsetrue 10341000x8000000000000000846926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.262{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E902-000000009802}5600C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.262{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E902-000000009802}5600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.262{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E902-000000009802}5600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.259{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E902-000000009802}5600C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.258{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E902-000000009802}5600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.258{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E902-000000009802}5600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 11241100x8000000000000000846920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.234{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\monitor.PNF2016-09-12 11:34:07.481 23542300x8000000000000000846919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.233{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\monitor.PNFSHA256=EF7BD91A43143D4451BF533846951FB96B230971FC6BD14453A9887CD523C72Cfalsetrue 10341000x8000000000000000846918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.196{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E702-000000009802}5188C:\Windows\SysWOW64\net.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.195{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E702-000000009802}5188C:\Windows\SysWOW64\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.195{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E702-000000009802}5188C:\Windows\SysWOW64\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.186{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E702-000000009802}5188C:\Windows\SysWOW64\net.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.183{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E702-000000009802}5188C:\Windows\SysWOW64\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.183{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E702-000000009802}5188C:\Windows\SysWOW64\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.155{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.155{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.152{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.152{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.151{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.151{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.149{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.149{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.147{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.147{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 534500x8000000000000000846902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.145{8A63456F-25AF-6387-E202-000000009802}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 10341000x8000000000000000846901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.126{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.124{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.123{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.106{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.106{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.106{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.103{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E202-000000009802}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.103{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E202-000000009802}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.100{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E202-000000009802}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.099{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E202-000000009802}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.098{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E202-000000009802}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000846890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.098{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25AF-6387-E202-000000009802}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 11241100x8000000000000000846889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.080{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\kdnic.PNF2016-09-12 11:34:04.497 23542300x8000000000000000846888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.080{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\kdnic.PNFSHA256=B65E9AAD2B0FF58D3FAEC86909C1C6B4CB43FC723017C520F04EEFD7B06EA211falsetrue 11241100x8000000000000000846887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.050{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\keyboard.PNF2016-10-18 08:57:22.839 23542300x8000000000000000846886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.050{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\keyboard.PNFSHA256=FD95335CB45060B25F66D71F60F68A4A3A762BEAA4F1FEFBF8A9279257728A23falsetrue 11241100x8000000000000000846885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.016{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\wgencounter.PNF2022-11-10 09:59:18.642 23542300x8000000000000000846884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:12.016{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\wgencounter.PNFSHA256=ECAF4C76DA18ECCCAFE917FF8FDB448B11A9480A84F80CCC3A5F9232260431F3falsetrue 11241100x8000000000000000846883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.999{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\oem19.PNF2022-11-17 08:39:53.982 23542300x8000000000000000846882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.999{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\oem19.PNFSHA256=1C41245C91B1EA593B1E832799E76FC9BD4383AD55ABD6D8645E7BA27153A4FEfalsetrue 11241100x8000000000000000846881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.999{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exeC:\Windows\INF\oem12.PNF2018-09-16 18:43:49.072 23542300x8000000000000000846880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:11.999{8A63456F-146E-6387-0A00-000000009802}636NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\oem12.PNFSHA256=1AE8FFC9BC8D1718BAC6D4C77C397714DC85CFF4E466596EF2F7D276291E2C87falsetrue 23542300x8000000000000000395371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:13.319{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857A0C3B8D74C4DF6AB6085CD06FA9B9,SHA256=94CC2F2594A44E93705243D819D7F83B729A02ED638081A838B0372EED1A3A31,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.924{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.924{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=8EBEB6A172B7BBD12D602828E015036CC15E26DAA82F8F49D9DB62BA9C8E6A13falsetrue 534500x8000000000000000847035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.877{8A63456F-25B1-6387-EC02-000000009802}5824C:\Windows\System32\conhost.exe 534500x8000000000000000847034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.877{8A63456F-25B1-6387-EB02-000000009802}6036C:\Windows\System32\vssadmin.exe 924900x8000000000000000847033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.877{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe\Device\HarddiskVolume1 924900x8000000000000000847032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.877{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe\Device\HarddiskVolume1 924900x8000000000000000847031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.877{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe\Device\HarddiskVolume1 10341000x8000000000000000847030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.862{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.862{8A63456F-1471-6387-1100-000000009802}3725020C:\Windows\system32\svchost.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000847028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.862{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+20c1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.862{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+20c1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.862{8A63456F-1471-6387-1100-000000009802}3725020C:\Windows\system32\svchost.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000847025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.846{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+20c1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.846{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+20c1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.846{8A63456F-1471-6387-1100-000000009802}3725020C:\Windows\system32\svchost.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000847022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.846{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+20c1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.846{8A63456F-146E-6387-0A00-000000009802}6362552C:\Windows\system32\services.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.846{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+20c1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.846{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.846{8A63456F-146E-6387-0A00-000000009802}636700C:\Windows\system32\services.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000847017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.852{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k swprvC:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000847016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.846{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+1f148|C:\Windows\system32\lsasrv.dll+1e371|C:\Windows\system32\lsasrv.dll+1cb7e|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.846{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.846{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.846{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000847012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.846{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exeC:\System Volume Information\RemoteVss\{89300202-3cec-4981-9171-19f59559e0f2}-{F32554AF-9E70-418D-B16E-7F58170EA763}.PMS2022-11-30 09:43:13.846 11241100x8000000000000000847011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.846{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exeC:\System Volume Information\RemoteVss2022-11-30 09:43:13.846 10341000x8000000000000000847010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.831{8A63456F-1471-6387-1100-000000009802}3725020C:\Windows\system32\svchost.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000847009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.831{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+20c1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.831{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+20c1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.815{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.815{8A63456F-146E-6387-0A00-000000009802}6362552C:\Windows\system32\services.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.815{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.815{8A63456F-146E-6387-0A00-000000009802}636700C:\Windows\system32\services.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000847003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.799{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\System32\VSSVC.exe10.0.14393.4350 (rs1_release.210407-2154)Microsoft® Volume Shadow Copy ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSVC.EXEC:\Windows\system32\vssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=198E5F8976CB3643D7D0709793CD49F8565AEEAC7871389255C7560F497F99CB{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000847002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.781{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+1f148|C:\Windows\system32\lsasrv.dll+1e371|C:\Windows\system32\lsasrv.dll+1cb7e|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.781{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.781{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.781{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.781{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-25B1-6387-EB02-000000009802}6036C:\Windows\System32\vssadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.781{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-25B1-6387-EB02-000000009802}6036C:\Windows\System32\vssadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.773{8A63456F-1471-6387-1600-000000009802}12801452C:\Windows\system32\svchost.exe{8A63456F-25B1-6387-EC02-000000009802}5824C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.772{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-25B1-6387-EC02-000000009802}5824C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.770{8A63456F-25B1-6387-EC02-000000009802}58245712C:\Windows\system32\conhost.exe{8A63456F-25B1-6387-EB02-000000009802}6036C:\Windows\System32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.765{8A63456F-2414-6387-7E02-000000009802}4328992C:\Windows\system32\csrss.exe{8A63456F-25B1-6387-EC02-000000009802}5824C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000846992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.764{8A63456F-25B1-6387-EC02-000000009802}5824C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighSHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{8A63456F-25B1-6387-EB02-000000009802}6036C:\Windows\System32\vssadmin.exeC:\Windows\System32\vssadmin.exe delete shadows /all /quiet 534500x8000000000000000846991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.762{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe 10341000x8000000000000000846990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.761{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-25B1-6387-EB02-000000009802}6036C:\Windows\System32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000846989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.760{8A63456F-25AF-6387-E302-000000009802}48203528C:\Temp\prestige_ransomware.exe{8A63456F-25B1-6387-EB02-000000009802}6036C:\Windows\System32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9428(wow64)|C:\Windows\System32\KERNELBASE.dll+d810c(wow64)|C:\Temp\prestige_ransomware.exe+5a3f|C:\Temp\prestige_ransomware.exe+11d87|C:\Temp\prestige_ransomware.exe+408ca|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000846988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.754{8A63456F-25B1-6387-EB02-000000009802}6036C:\Windows\System32\vssadmin.exe10.0.14393.0 (rs1_release.160715-1616)Command Line Interface for Microsoft® Volume Shadow Copy Service Microsoft® Windows® Operating SystemMicrosoft CorporationVSSADMIN.EXEC:\Windows\System32\vssadmin.exe delete shadows /all /quietC:\Temp\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighSHA256=4FE71EB779B57354E5600DC31E3DC1875ADC8A06663654AEC83F11109751E8FC{8A63456F-25AF-6387-E302-000000009802}4820C:\Temp\prestige_ransomware.exe"C:\Temp\prestige_ransomware.exe" 10341000x8000000000000000846987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.754{8A63456F-1471-6387-1200-000000009802}7765452C:\Windows\System32\svchost.exe{8A63456F-25B1-6387-EB02-000000009802}6036C:\Windows\System32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000846986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.523{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db2022-11-17 08:41:37.093 11241100x8000000000000000846985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.523{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db2022-11-17 08:41:37.077 11241100x8000000000000000846984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.523{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db2022-11-17 08:41:37.093 11241100x8000000000000000846983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.523{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db2022-11-17 08:41:37.077 11241100x8000000000000000846982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.523{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db2022-11-17 08:41:37.093 11241100x8000000000000000846981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.523{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db2022-11-17 08:41:37.108 11241100x8000000000000000846980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.523{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db2022-11-17 08:41:37.108 11241100x8000000000000000846979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.523{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db2022-11-17 08:41:37.124 11241100x8000000000000000846978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.507{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db2022-11-17 08:41:37.093 11241100x8000000000000000846977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.507{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db2022-11-17 08:41:37.108 11241100x8000000000000000846976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.507{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db2022-11-17 08:41:37.093 11241100x8000000000000000846975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.507{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db2022-11-17 08:41:37.108 11241100x8000000000000000846974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.507{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db2022-11-17 08:41:37.108 11241100x8000000000000000846973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.507{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db2022-11-17 08:41:37.108 11241100x8000000000000000846972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.507{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db2022-11-17 08:41:37.093 11241100x8000000000000000846971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.038{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000846970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:13.038{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=CE2648116A115E2776FC9FC6A5A2EC705AA64C052BDFE91EF2B7AD7D862EB7F3falsetrue 23542300x8000000000000000395372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:14.395{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9034BBBE2EB6E032DD27A4DABE34D5,SHA256=9468B8B17DE1C428E73A7D483E854A7D517BFA6571D8E70577EB525A9C794C9E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.954{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2022-11-17 09:51:56.383 23542300x8000000000000000847062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.954{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemSHA256=060EADB5B7C262A26BB83F7BA06F9A1E07C6325172EA065703643F723CD161C6falsetrue 10341000x8000000000000000847061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.575{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.575{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.575{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.575{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.575{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.575{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.570{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.570{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.568{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.568{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.557{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.557{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.557{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.526{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.526{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.526{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.524{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.524{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.524{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.524{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.524{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.523{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 11241100x8000000000000000847039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.111{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:14.111{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=4B39E8D87DC1DC65C5108F765AC1227B0C66411EDF5A4C1965A4FD7042442224falsetrue 354300x8000000000000000395374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:11.989{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50574-false10.0.1.12-8000- 23542300x8000000000000000395373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:15.473{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0A7B7610F01AC47157AA1F153078A8,SHA256=599E675C03A9FE6C93032768553A87D138592EDB11D5CB5A3ED68AF5630568A3,IMPHASH=00000000000000000000000000000000falsetrue 924900x8000000000000000847073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:15.788{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe\Device\Harddisk0\DR0 924900x8000000000000000847072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:15.788{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe\Device\HarddiskVolume1 10341000x8000000000000000847071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:15.775{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000847070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:15.775{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000847069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:15.775{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000847068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:15.774{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000847067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:15.774{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000847066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:15.774{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 11241100x8000000000000000847065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:15.176{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:15.176{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=702B73B6E1C3BDCB15D02463DB291201AEF3CACE1F7E7C6CF02D11A984E218BDfalsetrue 23542300x8000000000000000395375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:16.554{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C1C4738B9320FCDDAAB4230A762344,SHA256=7ABACC535E994CC3344682F1F5BACDA8ABC6AE84BB59BBE1A8416147710BA17D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:16.631{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:16.631{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000847075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:16.288{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:16.288{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=2ED824A547BEBB1EE0B0C4D0F337CE2286DC41629B9A85808333C5491C3499EDfalsetrue 23542300x8000000000000000395376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:17.640{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B62341034053E5D2937AFDC5F350F9C,SHA256=BF3DF36F539B7D69FCEA4385D64D3E63F55E7704446712EBA2150DFE00AD672C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000847080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:15.594{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54221-false10.0.1.12-8000- 11241100x8000000000000000847079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:17.380{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:17.380{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B726023C183BB1914D39945DD2ADD3EDD5212B27D5BC5C3F9A12956547C037B3falsetrue 23542300x8000000000000000395377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:18.727{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09410262EC94DC0AA7116A4710638C2,SHA256=26B74FE5D58F3020B3F3646DE8104F4C26891ECEC98C080D9A7D032AC7748487,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:18.465{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:18.465{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=C4F320461A8F17D710D03EDD65EC2C5DEB4374E75AD5E290D98098C4497311E0falsetrue 23542300x8000000000000000395378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:19.827{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF88C1A9A966D8CFC8CAA3D73091EFB0,SHA256=8D382B606155E5ED46C54E13D780C53581DA27FDE0D853FA5180A9918467B6BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:19.565{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:19.565{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=3F7109366AFE2A1602B14CAA3CC2D7D374A266843419E3564E871EE89AE4F7DBfalsetrue 23542300x8000000000000000395380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:20.917{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D075754E023016ACD07377F28A6B3E7,SHA256=0F1783BDB5A75AF21634D23C67025E1526243151781958177AE969C8DCC285B4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.634{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.633{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=C071F9609EDB4EB633DE0069E9841BA546BCC9E1CCE99769ABDC2E328110EBA4falsetrue 10341000x8000000000000000847109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.620{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.615{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.610{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.607{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.599{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.597{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.595{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.589{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.583{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.580{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.578{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.575{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 354300x8000000000000000395379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:17.811{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50575-false10.0.1.12-8000- 10341000x8000000000000000847097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.546{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.540{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.527{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.523{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.515{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.500{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.491{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.480{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.469{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.446{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.434{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.388{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:20.384{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 11241100x8000000000000000847114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:21.684{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:21.684{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B9E00AA96FD563AB8DE2749943C3B72CE4B641BFE1401840890845473C245A88falsetrue 23542300x8000000000000000395381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:21.882{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C8F92E772D629C1730B338ADCA896C70,SHA256=115E1DAC3E88966C729A53E4E3471757A45F83CC51192A0520CE8C7D9C4BCFCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:21.054{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 11241100x8000000000000000847116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:22.781{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:22.781{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=719D119D30F20F381A3C951BC2E64332E33C0F81DBEDDC83D2B1049F220270F8falsetrue 23542300x8000000000000000395382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:22.009{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE835180F5F76399AE9D48FCCCE3C5FB,SHA256=1D9716EE45A749E97F6FA8BA920225635D52AD0751A9627A8F29B6F57337E2C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.840{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.840{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=92DEF4F742AABD52A7FDD8934E96AE010EA6CA3031B5BC868192651C69B8C4BDfalsetrue 10341000x8000000000000000395412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.683{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.679{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.676{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.673{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.672{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.668{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.667{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.665{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.663{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.659{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.657{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.652{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.649{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.640{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.633{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.630{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.613{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.605{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.598{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.588{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.579{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.547{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.539{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.532{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.518{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.511{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.502{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.493{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000395384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.488{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x8000000000000000395383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:23.110{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F17A48720445D3A2FFF146BB4BD76F,SHA256=C412A98C0F87E0986C7324D23B098B0D787DED9C8F793CB3BA18127BA65D5E97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.721{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.718{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.717{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.717{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.711{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.697{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.683{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.642{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.639{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8902-000000009802}5008C:\Windows\system32\taskhostw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.635{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.631{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.629{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8502-000000009802}2056C:\Windows\System32\RuntimeBroker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.624{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.617{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.614{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.611{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.608{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.604{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.601{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.600{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.597{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.596{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.086{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 10341000x8000000000000000847117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:23.084{8A63456F-2424-6387-9602-000000009802}47845092C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980850) 11241100x8000000000000000847147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:24.933{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:24.933{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=86685B6B98FF8D503F5591C3A03B396DE54F8C06824CC44894317A7F3DFA4EBEfalsetrue 354300x8000000000000000847145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:21.479{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54222-false10.0.1.12-8000- 23542300x8000000000000000395413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:24.265{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EBDB5BE173A9E15B96D193F23C4FF3,SHA256=773081D13C95AF43E59E0A7EF3787EB19CA18400FE297CF3F9F4B6637A7A7910,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:24.777{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2022-11-17 09:51:50.314 23542300x8000000000000000847143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:24.777{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationSHA256=32B92A3D4596170FDA17C6F5DF5863BD198FDA4DD87461828949AEF8B716C717falsetrue 11241100x8000000000000000847150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:25.915{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:25.915{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=FA48582CB46D19BE01F46BAC19293EE64D4116C983F74CE504F339FBF8684C6Bfalsetrue 354300x8000000000000000395415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:22.842{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50576-false10.0.1.12-8000- 23542300x8000000000000000395414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:25.307{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17F6003785043CD9E03EE2BE5658905D,SHA256=602167725F4307D5EA81787534CDAA06C36AA7BEB35E369C1B4112A4961FBF7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:25.093{8A63456F-1471-6387-0D00-000000009802}9083088C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000395416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:26.428{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD668C14356E33CD3E5697751EEA44F0,SHA256=C0AAED842747FD0597A6D07E38A7F1E03EE2C220BBF13B380165FD7460BEB661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:27.825{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-071MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:27.521{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638DFCD833E52335444D8088B1E3B913,SHA256=37A2412988E066CB4D5E6031D26DEC281AEB2239746591C976DAACA55BE4F230,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:27.012{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:27.012{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=4507927DD1F0D6B1AEBCB63CEE599C15B5C7F630E196BB4B0AE0DEC98738E474falsetrue 23542300x8000000000000000395420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:28.824{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-072MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:28.632{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4B8D36F1FBFF9E884A3CB2DCE495E9,SHA256=4E6BA1F6DE156AFAB8BF7867BDBB5E1046DC130210A54CF3A71C6996C1424116,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000847155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:26.613{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54223-false10.0.1.12-8000- 11241100x8000000000000000847154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:28.098{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:28.098{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=08674A12036D6CE891E4C7507FE0E54D5BC0B5F693D0F2048C7A7A79B64159B6falsetrue 23542300x8000000000000000395421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:29.744{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED152861D3A40BA2E027CC031295B7C5,SHA256=8F7A8D202A232AAC81FBB17238CF62DEBFAF99693A467C65588F0E0CD86FC7FB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:29.188{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:29.188{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B3267AEEEA1C5E638820FF29DE02611183C46C635ABEA4893B4662C85E038D8Dfalsetrue 23542300x8000000000000000395422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:30.847{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79307FB30CE5C8FEF78CCAFA68D28A46,SHA256=FD5D8D186A01E3F9DB1BEBCCEAD691C503DEF3E27495CF32E3E0A76FFA827A82,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:30.287{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:30.287{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=52029249637C3C6B3ED91F9FFE34FE08B8F696D3F163AD530DDC6980AA5653D9falsetrue 354300x8000000000000000847158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:27.337{8A63456F-1471-6387-1100-000000009802}372C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local123ntpfalse40.119.6.228-123ntp 23542300x8000000000000000395424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:31.938{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DE14C23DD733F6D66119E4856CDA76,SHA256=A32CEC7F3A13E03A70BA63BA709A009FC6C9592EC00E973DBF02D032E287085E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:31.387{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:31.387{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=0365421E9FE050706187E47D8AE3D8505836E6CD58841DEFFB9F80BDBE241833falsetrue 354300x8000000000000000395423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:27.904{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50577-false10.0.1.12-8000- 11241100x8000000000000000847164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:32.487{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:32.487{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=4F89A0233D1F63133F5F5D27FFF6942F6B4F09814C38049B5742A1C18D2F48CCfalsetrue 11241100x8000000000000000847167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:33.594{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-11-30 09:43:33.594 11241100x8000000000000000847166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:33.563{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:33.563{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=0FE19E4CA6FD30B9CB306B30DA8CF47E801E491833A95D6956AFD60B92C1EAA7falsetrue 23542300x8000000000000000395425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:33.033{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253785370C3D0DDDCC09D30CDA8C1FDE,SHA256=8897D04FD95BA2C0FD608EAAB316AC8C26E1231585B96939249C958C8DC43FF2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:34.667{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:34.667{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=0A84A8E034B12CDE9FB817F26D87048AFBD7F49FD6DFF75E3BB65E9334B96E93falsetrue 23542300x8000000000000000395426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:34.134{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171DD2361E480620CC8B51396A1D0E34,SHA256=2AADD762686ED6BC2AC76E2D344C4F3B6FFC39341FE15C868BAD460D8DACFB23,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:35.766{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:35.766{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=CABCF553AEAF4D2B35DA0B1672000F5175BF6002BE569B1110848FF81870DAD5falsetrue 23542300x8000000000000000395427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:35.230{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187482445384ED6B89E424971CEE3EA8,SHA256=8322D26A71F21226BC1644D9628A8F759DA761FD6532AEF1FE09D5F3ECF444F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:35.503{8A63456F-1471-6387-0D00-000000009802}9083088C:\Windows\system32\svchost.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:35.503{8A63456F-1471-6387-0D00-000000009802}9083088C:\Windows\system32\svchost.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000847170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:32.639{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54224-false10.0.1.12-8000- 23542300x8000000000000000847177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:36.963{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logSHA256=3D7BB4B7F4319E15987A92D72A3654B77CD255DF287CC67FF3801E5A27391709falsetrue 11241100x8000000000000000847176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:36.869{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:36.869{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=F38791016A9C2FD880B77CC2D2C0259E7694717C9C72009967A040BAC699C831falsetrue 23542300x8000000000000000395428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:36.334{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F614A4781D765C56D2A2D08672B91537,SHA256=0665E6AA138AADCAB82CA29B8EBA7534F5A974A0F2733428D9F94F2C658A7DC1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:37.965{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:37.965{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=D7CD6C9ACC845B0701078DEB4453B5C65D33B09718167EFBA6E70CB13ACFE49Efalsetrue 23542300x8000000000000000395431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:37.443{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087807C9FC8263149878FA3C980FCAB7,SHA256=C3B937B6FCCE3254A019423313D72D61BC0FD89367EFE54DEDD9CC5A879C17C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:33.838{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50578-false10.0.1.12-8000- 23542300x8000000000000000395429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:37.224{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8F951458693A6918ABAC4C04ADA1E823,SHA256=08C0AE39EBEC0B662E77A869C4C42BD613078F974231E270952AC07461C0D131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:38.545{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138F2FCB18E77D4CFB205E407983B157,SHA256=84BD4010340C7C65C4B14742E80E2FE40A9F6E13F8800B4087E7068FC5A66586,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:38.365{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2022-11-30 08:29:37.561 23542300x8000000000000000847180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:38.365{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datSHA256=134D7DB04585AC75F1A707EA2B9AB827BCFC30AB0982888E1882C68006C5A906falsetrue 23542300x8000000000000000395433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:39.639{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85292A7601C50F73E6D8B75020698202,SHA256=CBDD64BEFA89B16347BB4ED472576FF36FB85F80C5B8C33FCB864EC7B0798A1B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:39.056{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:39.056{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=D459986C600EF60EF02C9ACBBBE2D20CB7087EB2227844A83556EA3611CDBF73falsetrue 23542300x8000000000000000395434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:40.743{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB75762A062D9961FD68BB429C448C9,SHA256=E18E0A8A10CE881E8A61311EBC824E8577A7240B6622E151C8AF22B3F464969B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.678{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.674{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.667{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.665{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.658{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.656{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.654{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.641{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.634{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.622{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.620{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.618{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.588{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.569{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.552{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.545{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.533{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.522{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.512{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.490{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.482{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.469{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.458{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.399{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.393{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 354300x8000000000000000847186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:37.668{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54225-false10.0.1.12-8000- 11241100x8000000000000000847185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.155{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:40.155{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=C9D3A69BA9EE17336132F3F9158D2FEBEE30EBAA00C831F278D3813FEEC1BCE2falsetrue 23542300x8000000000000000395435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:41.850{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD48E3DF2EFA893DEB3CFB3C5CC7E34,SHA256=AB2C016CF3FCAFCEAEDF59BE5F7B8C6627F3B846579D4D569004687A221B1226,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:41.337{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:41.337{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=61015AE7219F59EF6A062AF49B4AA98AE11871B1316306A7AB501C006135FB86falsetrue 10341000x8000000000000000847212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:41.226{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 23542300x8000000000000000395437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:42.937{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E42E0B237E2FEE0CC193D23BA9262A6,SHA256=87DAF9D90E7549FAA228087346D3953895183B2488659D902890530D30B1F29F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000847220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:42.475{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-071SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0falsetrue 11241100x8000000000000000847219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:42.474{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\tmp\respondent-20221130082953-0712022-11-30 09:43:42.474 11241100x8000000000000000847218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:42.473{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\tmp\surveyor-20221130082951-0722022-11-30 09:43:42.473 11241100x8000000000000000847217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:42.301{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:42.301{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B3D28BBD181846E960888F364C4348F42A978069B2977E4E697EECDEDCD93DCCfalsetrue 10341000x8000000000000000847215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:42.285{8A63456F-1471-6387-0D00-000000009802}9083088C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000395436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:39.879{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50579-false10.0.1.12-8000- 10341000x8000000000000000847248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.897{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.895{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.894{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.893{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.890{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.876{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.863{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.815{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.811{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8902-000000009802}5008C:\Windows\system32\taskhostw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.807{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.803{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.801{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8502-000000009802}2056C:\Windows\System32\RuntimeBroker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.796{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.790{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.787{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.784{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.780{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.777{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.773{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.772{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.770{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.768{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 23542300x8000000000000000847226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.476{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-072SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x8000000000000000847225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.396{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.396{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=01CBCEB3859F659EDD83B57F9355C75D48A0428DCDB23D0C90D106BAD53C700Bfalsetrue 10341000x8000000000000000395466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.691{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.689{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.687{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.685{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.684{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.681{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.680{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.678{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.676{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.672{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.671{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.665{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.662{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.655{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.650{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.648{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.638{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.629{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.618{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.590{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.577{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.550{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.543{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.538{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.531{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.525{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.513{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.506{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:43.503{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000847223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.265{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.263{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000847221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.044{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000847251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:44.477{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:44.477{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=BEAEB57F99FCD8F8B664ABD7BD268D56BCEEC3FB816AD3A09B8CC2E14156A2B3falsetrue 23542300x8000000000000000395467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:44.278{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A061DA0210593CFE117ADF830A4452,SHA256=363A3D65356D48D8B83DCA2B441B8CFE2ABFCB0332AC24BC539E6C197A47110F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:44.055{8A63456F-1471-6387-0D00-000000009802}9083088C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000847253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:45.588{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:45.588{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=81DD8E92DE38EA64590B9D56EAF156B51D9FC3E1739E1B028FB9F1EFCB8ADD42falsetrue 23542300x8000000000000000395468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:45.333{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB8FE5EA16F4054B609BF31EB0AFA05E,SHA256=96F8A313C4949166AA2D0E80CB6E5BF9B0748C77ACF61DDB8F318ECA936F443D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:46.673{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:46.673{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=4778E17329F235203BD89E2C5020D7B19D74C42108BD44E00650150DC7AF7F41falsetrue 23542300x8000000000000000395473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:46.423{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7099E715269677994B55125E2716548E,SHA256=202611A685DE4DD45313CC865F9D189507FCB9F6F05F64F6EBB984F39DE5552D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000847254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:43.498{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54226-false10.0.1.12-8000- 10341000x8000000000000000395472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:46.240{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:46.240{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:46.239{E56ECBBF-146E-6387-0B00-000000009902}644536C:\Windows\system32\lsass.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:46.226{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000847258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:47.767{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:47.767{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=FD993A89523E39EB3F60668182F0DC349A2DCCFFF931B62BF7BA1FC654101D9Cfalsetrue 354300x8000000000000000395475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:44.895{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50580-false10.0.1.12-8000- 23542300x8000000000000000395474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:47.512{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48137095874A6FFDE90C1CA51C75B4F9,SHA256=0F5AC691A2500EDD02CE56BFE2FFB75E350FE09235EA14D312A4C558E3723F8F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:48.958{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:48.958{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=6B53D03BDC6F509911C24BCC08C2B3EBCD4F86F46616C2A0603D6113062AC601falsetrue 23542300x8000000000000000395476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:48.610{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2EE7C277A18C67046457E2CBD15CBC4,SHA256=29E55314300D8A5D036CA4947EC8B5462084729A04060609D04E242C7A4AFFAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.931{E56ECBBF-25D5-6387-A902-000000009902}40002304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000395491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.869{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.712{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E3FC34B59D1FFD9265EC31D266C015,SHA256=74F860375E1C10FCBF8BE76F662DD783B65CBF5D95686437DED9124060C6500D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.712{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-25D5-6387-A902-000000009902}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.712{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.712{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.712{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.712{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.712{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.712{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.712{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.712{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.712{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.712{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-25D5-6387-A902-000000009902}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.712{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-25D5-6387-A902-000000009902}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:49.713{E56ECBBF-25D5-6387-A902-000000009902}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.793{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7C44A97A06B361256B72396DD1A4A43,SHA256=EF9E279DB60A5EF9411EAAACB20870F4D49A0F4C2F24A4C86F747BA507CB4890,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000847263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:48.567{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54227-false10.0.1.12-8000- 11241100x8000000000000000847262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:50.041{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:50.040{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=25AED5ED6A6B35FF8B23B8208AFF4BB69248C1F8A4D85EF9F2A697F4B067AF11falsetrue 10341000x8000000000000000395506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.386{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-25D6-6387-AA02-000000009902}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.386{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.386{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.386{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.386{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.386{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.386{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.386{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.386{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.386{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.386{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-25D6-6387-AA02-000000009902}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.386{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-25D6-6387-AA02-000000009902}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.387{E56ECBBF-25D6-6387-AA02-000000009902}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.230{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=37C290B1262DBCE670991D1730E72D0D,SHA256=C11A85EE6300A91B48BF5AD16F5B0962A1949812AA4FBC8CA0848CB17EB1FB6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.900{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F2F108DA4110517940FC4390EE2B42,SHA256=F40B76C35C44E24BBB5CC0DBF9FDBD7AE217968C69451D224C4077939E6C246E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:51.126{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:51.126{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=613C8C86C79109D9B998C78DC9CC5AC9AA0CF71589C09AB2AB219DA3C2AF91DDfalsetrue 354300x8000000000000000395525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:48.601{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50581-false10.0.1.12-8089- 10341000x8000000000000000395524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.182{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-25D7-6387-AB02-000000009902}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000395523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.182{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-25D7-6387-AB02-000000009902}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000395522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.182{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-25D7-6387-AB02-000000009902}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000395521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.054{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-25D7-6387-AB02-000000009902}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.053{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.053{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.053{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.053{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.053{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.053{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.052{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.052{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.052{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.052{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-25D7-6387-AB02-000000009902}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.051{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-25D7-6387-AB02-000000009902}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.051{E56ECBBF-25D7-6387-AB02-000000009902}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:51.051{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE312C48D21A38E48AA095F18628CA87,SHA256=4F83E5824E50F8BF2A90C225991CF1D2B89EF20FBE614F575FFCE3C206581098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:52.988{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE268A84F6F9C1D0E011BE5CEC7B3F5,SHA256=A76386F97AA19F1F727ECF8936A72F78DFB1991672347282EF8E40A57B757E58,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:52.218{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:52.218{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=5BCEC60E40F95CD30F15D8BD18C5BFB58EA768F6E6E70C97A8DF730ECBFBE827falsetrue 23542300x8000000000000000395527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:52.070{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6A5796E6941A8A3D89001104D29D21F7,SHA256=070FCC4853CF0DEF77809F1074F56A2E996EAFD098FA369BF782E9E6E640FB82,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:53.287{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:53.287{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=3875CCF9708F717DFC18672F4FE81633CC1C1B0F4240353CF7D5F843CD7F162Bfalsetrue 354300x8000000000000000395543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:50.818{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50582-false10.0.1.12-8000- 10341000x8000000000000000395542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:53.740{E56ECBBF-25D9-6387-AC02-000000009902}1836756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:53.584{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-25D9-6387-AC02-000000009902}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:53.584{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:53.584{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:53.584{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:53.584{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:53.584{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:53.584{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:53.584{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:53.584{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:53.584{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:53.584{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-25D9-6387-AC02-000000009902}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:53.584{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-25D9-6387-AC02-000000009902}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:53.585{E56ECBBF-25D9-6387-AC02-000000009902}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000847269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:53.026{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-11-17 09:52:52.240 23542300x8000000000000000847268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:53.025{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlSHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894falsetrue 354300x8000000000000000847274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:52.462{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54228-false10.0.1.12-8089- 11241100x8000000000000000847273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:54.385{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:54.385{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=6EBCE5B87B79B9CFECA92C0568E3A93A9B42EFEBCF72717347BB0C475A8E50CAfalsetrue 10341000x8000000000000000395571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.929{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-25DA-6387-AE02-000000009902}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.929{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.929{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.929{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.929{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.929{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.929{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.929{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.929{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.929{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.929{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-25DA-6387-AE02-000000009902}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.929{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-25DA-6387-AE02-000000009902}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.930{E56ECBBF-25DA-6387-AE02-000000009902}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000395558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.445{E56ECBBF-25DA-6387-AD02-000000009902}29003284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.257{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-25DA-6387-AD02-000000009902}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.257{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.257{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.257{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.255{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.255{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.255{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.255{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.255{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.255{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.255{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-25DA-6387-AD02-000000009902}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.255{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-25DA-6387-AD02-000000009902}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.255{E56ECBBF-25DA-6387-AD02-000000009902}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:54.059{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80F5986046F9E9DEDF29A8DDE393E2F,SHA256=D478BFFBABC949F2371E7DB1E4DB0B4FDD8A508291ED698AAC4516C171C2D903,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000847277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:53.686{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54229-false10.0.1.12-8000- 11241100x8000000000000000847276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:55.478{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:55.478{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=EF619200D3FFA8F31274719AA8647C648B761FC0D33E79796E49DD207F9C76B3falsetrue 10341000x8000000000000000395586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.778{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-25DB-6387-AF02-000000009902}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.778{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.778{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.778{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.778{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.778{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.778{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.778{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.778{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.778{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.778{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-25DB-6387-AF02-000000009902}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.778{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-25DB-6387-AF02-000000009902}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.779{E56ECBBF-25DB-6387-AF02-000000009902}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.316{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057A1E0BE4329DB9286A7CA65E9A5ACC,SHA256=2354B783011E6F70A62D209E8B1A9F1A5C1BD73948ABCCFD95CAF8F0C58CCEEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.120{E56ECBBF-25DA-6387-AE02-000000009902}3112520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000847279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:56.566{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:56.566{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=490A7C94626F8786816218F69CDD6ABB7B1AF3BD083F09F1C714BF22E6061A76falsetrue 23542300x8000000000000000395588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:56.247{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FC17C238B6DBC6379E0FD16AFD5E77,SHA256=1ADC6CB1C6B3C193D739C19D316659FA7C09392F8963E83E9D7E18265A45E9B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:56.012{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CCC15951A2BBE350C30A31489FE0DF6,SHA256=CED4739AFC53E28612D3732D32E640423449EDFE8A3F9378BD0AA5E0E05A5222,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:57.669{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:57.669{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B3066487C8C770CB9EDB3C49A55EF0592FC6E4D775E1EAA32F9A2B82052753D7falsetrue 23542300x8000000000000000395589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:57.315{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA0A0F3CC7BE62BECA804C3A7206E15,SHA256=966BDE03D7F0197F8A7E4CF2403434BD3E77921F3E671A346F41FBA01B670B71,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:58.741{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:58.741{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=C4E56CF509E594697E06AD3B45512425A05596AB6C33EF6DE89E2BF2370AB3D2falsetrue 23542300x8000000000000000395590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:58.423{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444C0F5BBFA8A8CCD6F667AE07CBD492,SHA256=A0B6F0998430E0155BAE65FA48FFB4FD1F9ECCB456F808386B15305AFDDF0C91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:59.835{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:59.835{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=79EA6BEBB1D53E98BC44FF9287C98F22C3AD4E88EFF0FA92E4BB357DDB8B5931falsetrue 23542300x8000000000000000395592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:59.498{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D59D342C740ACF9859C18E868AD70A2,SHA256=78FA0DC3F55600864CD429140F17D3BCEDD095D2406D5B6EEA021DA77B39ADF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:43:55.960{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50583-false10.0.1.12-8000- 11241100x8000000000000000847312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.882{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.882{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=7148BAF039A457E1674EAA65AFC7B6F206DBE332722A4586022378EFE6ADD0D1falsetrue 23542300x8000000000000000395593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:00.608{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8F0902927CA87D4E23A868AED00FD7,SHA256=DD5DFB2370BBA53A0DF65C2BB030DC5941C24A4AD493EB75AF2E33069772CA22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.631{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.625{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.616{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.610{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.599{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.595{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.594{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.587{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.578{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.568{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.566{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.564{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.531{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.524{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.508{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.501{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.489{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.476{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.465{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.448{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.440{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.430{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.421{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.382{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:00.377{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 23542300x8000000000000000395594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:01.718{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9730A09AF2CA61B78BD46D32C74A6EBA,SHA256=981D3C9E3227D4BA25FEB4E8D04E7976960089C29D264A511EE83686EDDD1348,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000847314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:43:59.466{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54230-false10.0.1.12-8000- 10341000x8000000000000000847313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:01.000{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 23542300x8000000000000000395595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:02.811{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5280B598A100B5562D79980991CEE972,SHA256=A19A4CCD077AE3AFFB59C2173FA61E7B5D3112DF9D40D772D2549117AA3B0697,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:02.196{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:02.196{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=340A25D173213D64BE28CC30E2A0AF5967264BEE9ED232A824D6D999EFD6EFC9falsetrue 10341000x8000000000000000847343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.703{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.699{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.698{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.698{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.696{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.671{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.654{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 11241100x8000000000000000847336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.600{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-11-30 09:44:03.600 10341000x8000000000000000847335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.595{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.589{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8902-000000009802}5008C:\Windows\system32\taskhostw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.584{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.579{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.578{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8502-000000009802}2056C:\Windows\System32\RuntimeBroker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.572{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.564{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.562{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.560{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.554{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.550{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.546{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.545{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.542{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.541{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 11241100x8000000000000000847320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.279{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.278{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=AC268E505D8F86307C94E3C4EB82B85E5E7ED1D5DB55E360DD3AFA1A1D61D44Dfalsetrue 10341000x8000000000000000395624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.703{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.697{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.693{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.689{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.687{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.682{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.680{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.679{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.677{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.672{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.669{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.663{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.660{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.649{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.639{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.636{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.617{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.608{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.597{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.585{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.569{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.540{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.532{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.523{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.512{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.502{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.490{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.481{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:03.478{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000847318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.027{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 10341000x8000000000000000847317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:03.025{8A63456F-2424-6387-9602-000000009802}47844900C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001395A190) 23542300x8000000000000000395625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:04.318{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C965A0223D596981B5A69CA41AEA3737,SHA256=5A7A4DEFA08B0F2EE800F00CB8FCCDF643C4EC5544E2C031FE29D0F0D8601F7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:04.915{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-25E4-6387-EF02-000000009802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:04.915{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-25E4-6387-EF02-000000009802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:04.915{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-25E4-6387-EF02-000000009802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000847346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:04.915{8A63456F-25E4-6387-EF02-000000009802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000847345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:04.349{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:04.349{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=E511BACE38024C30DE450E37AC6E93C899580C787DC1C7888F6091FCE7BDF7E2falsetrue 23542300x8000000000000000395627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:05.630{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0104E88B926AFCC3BF6637C6D373875E,SHA256=AC209BDAA7B5D121CC7379D37B22294B8FDFC002A14EFF308A870CB1819ECEB5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:05.963{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-11-17 09:52:17.849 23542300x8000000000000000847359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:05.963{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecuritySHA256=E626D44130ABBBEC1FDB2363F95DCE48C0720ABDC045DDF0D51344835F7742EAfalsetrue 534500x8000000000000000847358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:05.775{8A63456F-25E5-6387-F002-000000009802}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 10341000x8000000000000000847357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:05.588{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-25E5-6387-F002-000000009802}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:05.588{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-25E5-6387-F002-000000009802}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:05.588{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-25E5-6387-F002-000000009802}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000847354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:05.588{8A63456F-25E5-6387-F002-000000009802}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000847353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:05.447{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:05.447{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=C60A1DDBFD1F86FDFB858DA9467C7D8C47E817F61FC897FF6EC94E684287E308falsetrue 354300x8000000000000000395626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:01.984{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50584-false10.0.1.12-8000- 534500x8000000000000000847351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:05.137{8A63456F-25E4-6387-EF02-000000009802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000847350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:05.121{8A63456F-25E4-6387-EF02-000000009802}59485992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000395628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:06.707{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B39DFB0F8D71279C6CF2AD62A817E0CF,SHA256=29C427D9D799ED359185A2639275E206AB0607180D0D033E2F3AAA213DC768CC,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000847369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:06.578{8A63456F-25E6-6387-F102-000000009802}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 11241100x8000000000000000847368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:06.547{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:06.547{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=5C06FBC7938549E3F1A9167B4397C456BEB7FA8237A3F29CB41C0D9EFF7F2F63falsetrue 11241100x8000000000000000847366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:06.336{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2022-11-17 09:51:50.314 23542300x8000000000000000847365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:06.336{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationSHA256=F49A128E456CDD2854161D32016730F330599C82417E036A625DB268977425E0falsetrue 10341000x8000000000000000847364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:06.247{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-25E6-6387-F102-000000009802}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:06.247{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-25E6-6387-F102-000000009802}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:06.247{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-25E6-6387-F102-000000009802}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000847361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:06.248{8A63456F-25E6-6387-F102-000000009802}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:07.807{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E701DBD0A5FBC00A2BC75F644EA35B7D,SHA256=0B7DB84EDA4424B39CA2C35F6B68E04F5210647380AAA08FA8E5BA2FF222030E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000847375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:05.895{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54232-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000847374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:05.895{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54232-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000847373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:04.501{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54231-false10.0.1.12-8000- 11241100x8000000000000000847372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:07.623{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:07.623{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=F8839FE2BE68FC526DEDAA1900B9B5D5E008248E62FEEBE1E397EC30BAB36B94falsetrue 23542300x8000000000000000847370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:07.146{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logSHA256=E1C1C543713E3DF505956954BCADF994634D4B3645BE3F9CA8415A9B58CA73CCfalsetrue 23542300x8000000000000000395630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:08.914{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C09D427508C78A579F5FB45F4E6DC3F,SHA256=AB9AF8711E03B1937E19ADA5DF215B643C76E973FC2AB8E1815D0F7E42839816,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:08.712{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:08.712{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=6918563091C899E6AAC98437DD7EDE85D93427B7C48149771493AC1DCED37CABfalsetrue 534500x8000000000000000847381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:08.634{8A63456F-25E8-6387-F202-000000009802}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x8000000000000000847380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:08.618{8A63456F-25E8-6387-F202-000000009802}32525868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:08.446{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-25E8-6387-F202-000000009802}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:08.446{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-25E8-6387-F202-000000009802}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:08.446{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-25E8-6387-F202-000000009802}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000847376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:08.447{8A63456F-25E8-6387-F202-000000009802}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000847395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:09.804{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-25E9-6387-F402-000000009802}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:09.804{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-25E9-6387-F402-000000009802}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:09.804{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-25E9-6387-F402-000000009802}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000847392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:09.804{8A63456F-25E9-6387-F402-000000009802}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000847391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:09.694{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:09.694{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=C20F7DC01F1CB62B58046309875A31759F91DD586E85B2D06A842C1547BA9052falsetrue 534500x8000000000000000847389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:09.340{8A63456F-25E9-6387-F302-000000009802}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x8000000000000000847388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:09.340{8A63456F-25E9-6387-F302-000000009802}58845028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:09.121{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-25E9-6387-F302-000000009802}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:09.121{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-25E9-6387-F302-000000009802}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:09.121{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-25E9-6387-F302-000000009802}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000847384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:09.122{8A63456F-25E9-6387-F302-000000009802}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000847401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:10.962{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-11-17 09:52:17.849 23542300x8000000000000000847400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:10.962{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecuritySHA256=95C8DD15C2A00CA12D453264E341C32B19B3FA629DD388C43AD2342F788BF859falsetrue 11241100x8000000000000000847399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:10.790{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:10.790{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=8BA6FC1C0DE5857CF816C3FE98CC86EF19F2E4644EEDF99F6D2CEB46C4B5DD8Dfalsetrue 23542300x8000000000000000395631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:09.999{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C3AE71D32C657F5BE826FF00FF75D4,SHA256=08601EC3D7AE7A717147735F9CEB7E19DCAD990D90C3B968DE52141048298629,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000847397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:10.024{8A63456F-25E9-6387-F402-000000009802}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 10341000x8000000000000000847396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:10.008{8A63456F-25E9-6387-F402-000000009802}45802952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000847409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:11.965{8A63456F-25EB-6387-F502-000000009802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 354300x8000000000000000847408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:09.546{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54233-false10.0.1.12-8000- 11241100x8000000000000000847407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:11.903{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:11.903{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=BC5796C91FEEC21748F1B6F3BE230A8329F981CEB08C4A53064F8B6E0FCBFD71falsetrue 354300x8000000000000000395633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:07.822{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50585-false10.0.1.12-8000- 23542300x8000000000000000395632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:11.083{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF7ADEF41E8523331034907B4C8746C,SHA256=0859913DB4B24804D3411B2599B31310645F4A4D7B24980E866CA866D4589F24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:11.774{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-25EB-6387-F502-000000009802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:11.774{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-25EB-6387-F502-000000009802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:11.774{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-25EB-6387-F502-000000009802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000847402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:11.775{8A63456F-25EB-6387-F502-000000009802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000847411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:12.969{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:12.969{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=6882536E7328AB6977AC84C491D9F8F993ABBE5D84A05AB36E40634EE09F62ADfalsetrue 23542300x8000000000000000395634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:12.167{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6518D81395599A7508F51D91772034,SHA256=A256EE55F6916F92A12E2DC25E1A664485D07186931ACB652A7EFCD1324C54DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:13.256{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FADCF4318976248098A3EF2FC7750AA,SHA256=A70683EC67F33EEC1E452FD0FB42D2DE8E6CDE0369ED8DDF3DCB32C01CB1AC60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:14.349{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99618B450FE07EFB3E52A034A0D3426C,SHA256=A573A9B25AC58D485D84341D38F309898548EEF2F52669ED4866247647742A0D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:14.054{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:14.054{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=BD72320C9A0D0FAD02FCBC7F3D5E476344981618BA09471FFDF5AD3EEE29CB2Cfalsetrue 23542300x8000000000000000395637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:15.458{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F78F7DFBF658F512E8CA4338667F7E,SHA256=5EFB5685403B16F32D9D550D510CCD8D689B7026FD666BD09942A541EA31C524,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:15.147{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:15.147{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=6D51C93A931EB04B0797E8A86F75D3D3050613C1F92F8D76ED1C9260A18A016Cfalsetrue 23542300x8000000000000000395639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:16.538{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775AE77F60BD7FA8E85675F3971534B3,SHA256=A298647567AE30AE768DE224B4FFBE2D2664A0A35CDF6EA1EB9D28598E42AE01,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:16.249{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:16.249{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=A97C0107F37A273A29F452FF96F0FDB96F9873E3548611E3AD3AF550CF73F83Afalsetrue 354300x8000000000000000395638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:13.816{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50586-false10.0.1.12-8000- 23542300x8000000000000000395640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:17.620{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=229137F44BFD5D66FEB864A296F57748,SHA256=3362C77B649067987764A65E3A8B66CA2ADF91B6248D0DEBFF0A6E926336E97B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:17.340{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:17.340{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=FF1C14E5736693A7F894A30B36C6AC121504AE2572BC948E8163CCFD6CFC613Cfalsetrue 23542300x8000000000000000395641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:18.709{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BD9D49A047343D79119983E0F2E5A6,SHA256=200688D63401EC987D5C18C138A129B6070ABE8FA5F1364015A70DF37EB01821,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:18.410{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:18.410{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=EB758D3944D0B5BAF2E7A0643827111F3592E57B2BAAC67649B3A053B89235F5falsetrue 354300x8000000000000000847420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:15.519{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54234-false10.0.1.12-8000- 23542300x8000000000000000395642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:19.811{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166C71899F0372AB42C73A44B0BE07D5,SHA256=E8F30FE124CC503E974C9E63501F8DF5B6C7BD22F9FCCE5ED23915EB10FCD7EE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:19.505{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:19.505{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=63DCC5DA460FAF938445F4673DD6C224D25C5B4B34C1494B5792D451A18961E3falsetrue 23542300x8000000000000000395643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:20.913{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B422B00B6BF40BD9703E91AA6F2B274,SHA256=3C2AC8E0BAAB9B5E36ABF1DE513E1CD9347715E8DED4CF69BF24C90149B35DD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.668{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.662{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.653{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.650{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.640{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.633{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.626{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.621{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.606{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.602{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.598{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.595{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 11241100x8000000000000000847439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.585{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.585{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=72F9CFC90E00D1727F777A8990B2105AE6F1694B557B37F628B6B887B1DC1885falsetrue 10341000x8000000000000000847437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.555{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.548{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.528{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.523{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.516{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.498{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.488{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.474{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.466{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.450{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.438{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.393{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.390{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 23542300x8000000000000000395645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:21.990{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D5FA60D3D7F91D673EBC1C8360E7A1,SHA256=773032B005A7F7BD0B64F2CCB7AF2DCF5DD6DBF3B79C4158DDCE70AD551409EA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:21.640{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:21.640{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=028C53F6F54202A2A93E790200769656ED9FE4FBDB5711B90E2C240FE769D72Dfalsetrue 13241300x8000000000000000395644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:44:21.224{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d904a0-0x52a958fd) 10341000x8000000000000000847452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:21.113{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 11241100x8000000000000000847456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:22.738{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:22.737{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=7436BFB35DD77B48345A7670B54D6ABFB21678E4FBC6E1670B8193639019FB2Efalsetrue 354300x8000000000000000395647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:19.004{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50587-false10.0.1.12-8000- 23542300x8000000000000000395646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:22.202{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D1920A77AFED537A5F18102F5346E053,SHA256=1F8B73F5E7B4A02A782E23ED0BF9E51C69CC69AF9BA3E443EF94DB903913AA77,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.815{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.815{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=D484EB93A42192B80A9814EF80E5E5B0A3F168CFBC2CE3F1B05EAF7846AB45D2falsetrue 10341000x8000000000000000847481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.765{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.763{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.759{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.759{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.755{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000395677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.660{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.655{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.653{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.651{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.650{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.647{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.646{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.644{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.643{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.634{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.631{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.625{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.623{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.615{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.609{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.606{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.595{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.587{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.579{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.571{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.563{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.536{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.529{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.525{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.517{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.507{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.496{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.484{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.481{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x8000000000000000395648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:23.081{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACBC0BB6CED0BCBCBEE37399FB5F05C8,SHA256=4CF3D90B4B5772585670B5BEABD5E8AD705FF613FDEF8B488C18238446FFA4F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.736{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.726{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.697{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.694{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8902-000000009802}5008C:\Windows\system32\taskhostw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.690{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.686{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.682{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8502-000000009802}2056C:\Windows\System32\RuntimeBroker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.671{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.666{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.664{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.661{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.658{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.655{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.652{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.650{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.646{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.645{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 10341000x8000000000000000847459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.138{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 354300x8000000000000000847458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:20.654{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54235-false10.0.1.12-8000- 10341000x8000000000000000847457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:23.137{8A63456F-2424-6387-9602-000000009802}47841516C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013980190) 11241100x8000000000000000847485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:24.802{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:24.802{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=8D2BAAD499C745C776BD4FCE57187789C0F44C7655A880A0C5764136E67267F2falsetrue 23542300x8000000000000000395678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:24.268{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F8BB8FE46935D6A36F88A3ECDD36D9,SHA256=2F0B8976D42B71C701950BF83A4BA9F5AEB1683A5AB5A65EC7379CB2F2AA6AD0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:25.906{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:25.906{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=C359F5E3E8D60803E0B5A94DA2735FFF73C7E376DC1C57BB55EE022D87AB9015falsetrue 23542300x8000000000000000395679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:25.355{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13836B53D0B0551E18DAA5A7EA6B6E19,SHA256=5B4F22F4515E7F289CDF99138FBFB6854AA788CA9D17F6389E0F59D5E3794394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:26.443{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6DD50C9B79BD83A8F200D9F60539D4,SHA256=A3D14BCAEA9ED73B76CBD6DE8C1223A49C78D216A26F4AD45852E7B786FE6C5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:26.659{8A63456F-1471-6387-0D00-000000009802}9082236C:\Windows\system32\svchost.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000395682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:24.830{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50588-false10.0.1.12-8000- 23542300x8000000000000000395681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:27.532{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62053484E4C576AD2193049D23F859BF,SHA256=0EF6C14B7F4B9837497E8BA911BC3DE401DBC5C11FCD6C00CF5F9816C903BFF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.873{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25FB-6387-F602-000000009802}5480C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.872{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25FB-6387-F602-000000009802}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.872{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25FB-6387-F602-000000009802}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.425{8A63456F-1471-6387-1600-000000009802}12801452C:\Windows\system32\svchost.exe{8A63456F-25FB-6387-F602-000000009802}5480C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.425{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-25FB-6387-F602-000000009802}5480C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.410{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-25FB-6387-F602-000000009802}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.410{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-25FB-6387-F602-000000009802}5480C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.410{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-25FB-6387-F602-000000009802}5480C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.410{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-25FB-6387-F602-000000009802}5480C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd52|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000847552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.410{8A63456F-25FB-6387-F602-000000009802}5480C:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighSHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 11241100x8000000000000000847551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.394{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db2022-11-30 09:44:27.347 11241100x8000000000000000847550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.394{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db2022-11-30 09:44:27.347 11241100x8000000000000000847549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.394{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db2022-11-30 09:44:27.347 11241100x8000000000000000847548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.394{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db2022-11-30 09:44:27.347 11241100x8000000000000000847547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.394{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db2022-11-30 09:44:27.347 11241100x8000000000000000847546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.394{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db2022-11-30 09:44:27.347 11241100x8000000000000000847545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.394{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db2022-11-30 09:44:27.331 11241100x8000000000000000847544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.394{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db2022-11-30 09:44:27.331 11241100x8000000000000000847543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.394{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db2022-11-30 09:44:27.331 11241100x8000000000000000847542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.394{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db2022-11-30 09:44:27.331 11241100x8000000000000000847541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.394{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db2022-11-30 09:44:27.331 11241100x8000000000000000847540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.394{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db2022-11-30 09:44:27.331 11241100x8000000000000000847539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.394{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db2022-11-30 09:44:27.331 11241100x8000000000000000847538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.394{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db2022-11-30 09:44:27.331 11241100x8000000000000000847537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.378{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db2022-11-30 09:44:27.331 23542300x8000000000000000847536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.378{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98B9.tmpSHA256=B72211FF34392A0C9BCB52424A7392F45B490B77302C0753D61B5294CE865A6Ffalsetrue 11241100x8000000000000000847535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.378{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98B9.tmp2022-11-30 09:44:27.378 23542300x8000000000000000847534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.378{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98B8.tmpSHA256=7F047D62D9F647FB1CA8D7FD7227528C781C0A13E4C5CC5E830C261BD8BABEE7falsetrue 11241100x8000000000000000847533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.378{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98B8.tmp2022-11-30 09:44:27.378 23542300x8000000000000000847532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.378{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98B7.tmpSHA256=9655D302CFDD780E5ECCFC297F277AF2D2B87F8F850B1FEE522EFC82F0355CD8falsetrue 11241100x8000000000000000847531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.378{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98B7.tmp2022-11-30 09:44:27.378 23542300x8000000000000000847530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.378{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98B6.tmpSHA256=7190FA9449FD51B4DAC65D68C40530FF359C96229D1B7148B236F35DFA662DB6falsetrue 11241100x8000000000000000847529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.378{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98B6.tmp2022-11-30 09:44:27.378 23542300x8000000000000000847528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.378{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98B5.tmpSHA256=6FAC3CBA525B7D4B75E056C6C5C849840EAA70436032985F0914E1BA69B967F0falsetrue 11241100x8000000000000000847527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.378{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98B5.tmp2022-11-30 09:44:27.378 23542300x8000000000000000847526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.378{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98A4.tmpSHA256=581AE7382EA9AE4935984BB6F95411D2146E207F4BC39539A30A186D8D68F17Afalsetrue 11241100x8000000000000000847525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.363{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98A4.tmp2022-11-30 09:44:27.363 23542300x8000000000000000847524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.363{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98A3.tmpSHA256=A59331EEE6CE259D384008F0FF9D0CC67C70B6A94A3573FC67BB7808983077F1falsetrue 11241100x8000000000000000847523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.363{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98A3.tmp2022-11-30 09:44:27.363 23542300x8000000000000000847522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.363{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98A2.tmpSHA256=8F7A066FBA201D4BB9AA992E0BDDAD1162618BEEBAFF5C47943A32328B57E21Afalsetrue 11241100x8000000000000000847521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.363{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98A2.tmp2022-11-30 09:44:27.363 23542300x8000000000000000847520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.363{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98A1.tmpSHA256=05D6268BC072E615DD5C3B2F258E5574C504B5BF478060127151A4937FB000BDfalsetrue 11241100x8000000000000000847519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.363{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98A1.tmp2022-11-30 09:44:27.363 23542300x8000000000000000847518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.363{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98A0.tmpSHA256=8DB0C20FC61A982687144F7D64F77BA65324C1920D376D0F44933267510155BFfalsetrue 11241100x8000000000000000847517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.363{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm98A0.tmp2022-11-30 09:44:27.363 23542300x8000000000000000847516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.363{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm9890.tmpSHA256=50292D63F45B6B65351F0398605B0C48BE6AD6B615580302403823DDC8D6E6B3falsetrue 11241100x8000000000000000847515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm9890.tmp2022-11-30 09:44:27.347 23542300x8000000000000000847514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm988F.tmpSHA256=FCD6EF71DF2AA1134BAD38A9FFDDC1CCBE7D20667340197454A01D4463BEACBFfalsetrue 11241100x8000000000000000847513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm988F.tmp2022-11-30 09:44:27.347 23542300x8000000000000000847512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm988E.tmpSHA256=6A956576B437F458DD3EF22D81F1F699EA218020825016D8F045CB318AAA4057falsetrue 11241100x8000000000000000847511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm988E.tmp2022-11-30 09:44:27.347 23542300x8000000000000000847510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm988D.tmpSHA256=F813172FBA3106896A1FE49AF010959FAFD1A8FEA2CF1FD776418C45E957819Dfalsetrue 11241100x8000000000000000847509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm988D.tmp2022-11-30 09:44:27.347 23542300x8000000000000000847508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm988C.tmpSHA256=CEE4BDA025687F4152E83ED8377B4E4224B0C8FA29CE4DFFF634282A05A5AB47falsetrue 11241100x8000000000000000847507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm988C.tmp2022-11-30 09:44:27.347 11241100x8000000000000000847506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete2022-11-30 09:44:27.347 11241100x8000000000000000847505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db2022-11-30 09:44:27.347 11241100x8000000000000000847504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db2022-11-30 09:44:27.347 11241100x8000000000000000847503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db2022-11-30 09:44:27.347 11241100x8000000000000000847502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db2022-11-30 09:44:27.347 11241100x8000000000000000847501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db2022-11-30 09:44:27.347 11241100x8000000000000000847500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db2022-11-30 09:44:27.347 11241100x8000000000000000847499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.347{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db2022-11-30 09:44:27.331 11241100x8000000000000000847498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.331{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db2022-11-30 09:44:27.331 11241100x8000000000000000847497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.331{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db2022-11-30 09:44:27.331 11241100x8000000000000000847496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.331{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db2022-11-30 09:44:27.331 11241100x8000000000000000847495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.331{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db2022-11-30 09:44:27.331 11241100x8000000000000000847494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.331{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db2022-11-30 09:44:27.331 11241100x8000000000000000847493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.331{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db2022-11-30 09:44:27.331 11241100x8000000000000000847492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.331{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db2022-11-30 09:44:27.331 11241100x8000000000000000847491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.331{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db2022-11-30 09:44:27.331 11241100x8000000000000000847490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.000{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:27.000{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=89B0E154CE5751E5CF1E0B81CD57792D20510D1A583F743061C35306465E0FB4falsetrue 23542300x8000000000000000395683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:28.620{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92ED2B60B85547A0D3A41713D46EE3F4,SHA256=85953E35D7E772FFE6FC7CFED1FF0E2D18112D1E323F87395111DF332FE5DD00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:28.646{8A63456F-1471-6387-0D00-000000009802}9082236C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000847565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:28.521{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-11-17 09:52:17.849 23542300x8000000000000000847564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:28.521{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecuritySHA256=CC0BC6674F8319C8F838923825A7A50189FEA5965812B0299BEF0E1F0958A166falsetrue 11241100x8000000000000000847563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:28.458{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:28.458{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=800D076E5204A0A4A58CF400F2D59604F99275923DA712605CA2D743EA8122A9falsetrue 23542300x8000000000000000395685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:29.733{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0765E6F7A00C946C919C4581C4C72DF,SHA256=5619591D3AACA8CFA382B95FD7887864AF0EDC783DE6D179B2FAB1615BFD1A24,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:29.525{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:29.525{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=379D5C694E884F645D1024B8B6EDCAC8235371A5F8016CE16D8380E4133C4D5Ffalsetrue 23542300x8000000000000000395684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:29.341{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-072MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:29.415{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25FB-6387-F602-000000009802}5480C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000847569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:29.415{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25FB-6387-F602-000000009802}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000847568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:29.415{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25FB-6387-F602-000000009802}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 354300x8000000000000000847567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:26.555{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54236-false10.0.1.12-8000- 23542300x8000000000000000395687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:30.823{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F01D5F7D76D0FB0A9339CBB42784316,SHA256=34FFFF98A59E3C0B989717CF933A3489303059FCD6A83E09C6101D91013F9499,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:30.615{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:30.615{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=55D4A4BB991848E3682A3C7C326CBA56E374A6EA008F781C0BB8A81D079D1593falsetrue 23542300x8000000000000000395686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:30.341{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-073MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:31.918{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A92C432898573B9A82C5125C0C21AAC,SHA256=4FE35542F1E7AB15C9001D3D36B5D256A7888B884A537B47BF4424513708C815,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:31.705{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:31.705{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=57E40E32E05E26E27DD063DE1E6AE999ABF585C7DDC7E3FED4A8297D28BC75ACfalsetrue 23542300x8000000000000000395689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:32.989{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F9ECA43A056FCBCD79452F6DAA691C,SHA256=4D4E428AB6A96BCCE86AADD5AB053DB28061212DC5F8FB045670AF380DE0120E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:32.802{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:32.802{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=3EC8878DE2DB09A501BF110CC147D179ABF3A515F6A10BFE5D246AA8342934C1falsetrue 534500x8000000000000000847577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:32.458{8A63456F-25FB-6387-F602-000000009802}5480C:\Windows\System32\dllhost.exe 11241100x8000000000000000847582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:33.865{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:33.865{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=8921DAF40E54C98B59818DF5828C8E7E2850DEE6026FB51CE59EA52814057854falsetrue 354300x8000000000000000395690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:29.830{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50589-false10.0.1.12-8000- 11241100x8000000000000000847580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:33.590{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-11-30 09:44:33.590 11241100x8000000000000000847584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:34.951{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:34.951{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=67A3A1B01642D95FEA0A669F2E75690C2CBE1D775A3FB7A5E57E28C3FDD1833Cfalsetrue 23542300x8000000000000000395691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:34.081{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651F5A0FA01CCB14422E4C0D4AFBC634,SHA256=C6AB9EBD4662C02A9B10CA48541875613B83B4A02E2F304EA0D5F57AC4150700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:35.169{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50817A45D87DA1C65BB932107C15DAC6,SHA256=EA5C758BEA47E1589BBE0D0E48C5E529F7FB876F9D4F0B055BFB9331A38AD41E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000847585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:32.579{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54237-false10.0.1.12-8000- 23542300x8000000000000000395693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:36.257{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F032F37F53CABFE8E2278C72C2496D91,SHA256=4FD267DD58505FE98B67567181CF6B5A21474B0BB7AD47CD8D0787869EC5D34F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:36.057{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:36.057{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=50C5158A7D245F839DF92D8F7FB2B5B41696D3324F1B35ED8287E7F005A33CBAfalsetrue 23542300x8000000000000000395696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:37.343{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E504C38C023E04E838EF97561560C077,SHA256=D2F8B0023440A0B8488F73906F161E81364E445E20B069563986A5862BBEC2D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000847590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:37.238{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logSHA256=35084008334BA8616D00F0CFC6E094EDA61BE12AFAA7245B814B7C954693E3FAfalsetrue 11241100x8000000000000000847589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:37.160{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:37.160{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=49D8477EF0A7646A98D7EA5B1E17397CA10863881A3F56A2B7E3C6E3CE2423DCfalsetrue 23542300x8000000000000000395695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:37.234{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D60FCD1ECE07173A4AA0EFBC2C7C9EC2,SHA256=62928DDE4306058D81841A6F19CD8FBBB618B45B2C434D62AED2377E373997B1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000395694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:44:37.234{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d904a0-0x5c3432b0) 23542300x8000000000000000395697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:38.446{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6ABC7D572413C8320A7AC58B78F1A1C,SHA256=50AE5D80FEA555CAA754C1D320681995A85AF9C96FAA27D24CE2E8B31057A1E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:38.380{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2022-11-30 08:30:37.562 23542300x8000000000000000847593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:38.380{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datSHA256=9B67FC4DBD630EA47777E2D8CB3B2C5080151BA350C7101B716B83FA320F379Cfalsetrue 11241100x8000000000000000847592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:38.255{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:38.255{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=E51B5CBE98D232A1AB894898A6326AC3D08CBD5ECDB2D1D3EBB32321F70F4D4Afalsetrue 23542300x8000000000000000395700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:39.537{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F561A3D3555712682E79806CE4D3701,SHA256=BD72F071DFADE6D1D460137C471B802CA37919AE58971F18AF004571A5AFD414,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000847597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:37.619{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54238-false10.0.1.12-8000- 11241100x8000000000000000847596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:39.333{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:39.333{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=1B56A4B8E3108B71B39661FDC450A58BB125DB507CB319A6233F61F9971F3E41falsetrue 354300x8000000000000000395699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:35.965{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 354300x8000000000000000395698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:35.825{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50590-false10.0.1.12-8000- 23542300x8000000000000000395701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:40.641{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D850C35B480DB9F70FADFD3C5BA772,SHA256=FB1766189A3027E132C29D9EE8D268514E28C81686B064DF9E9E2CFFCCDFABCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.811{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.803{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.794{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.782{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.772{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.771{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.768{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.762{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.755{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.747{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.745{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.742{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.693{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.683{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.655{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.643{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.630{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.613{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.598{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.579{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.566{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.550{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.539{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 11241100x8000000000000000847601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.423{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.423{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=60377E283385A9BA4631C5969169AF1CE04B87795DA314FA35FC34B5D807D86Afalsetrue 10341000x8000000000000000847599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.419{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:40.410{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 23542300x8000000000000000395703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:41.745{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0A5D45FA2494FE05FD67B05741BB3B,SHA256=DE12B7ECEE57EE8DF6EA3B2BCF6389DD30DCF8ED779A05CD319C50CF2A35A9BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:41.444{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:41.443{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B5668465070E673111B1A2C466234D6D72094ECDF85419025F481502C078D682falsetrue 10341000x8000000000000000847625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:41.441{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 354300x8000000000000000395702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:38.367{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50591-false169.254.169.254-80http 23542300x8000000000000000395704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:42.841{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE16F3024FEA84FB4261D52A5D3E0EA0,SHA256=8B44D2DCD7C2FD617AED9A00B8FA3451FB8F469ABF9BFEE36ADD2241DD0767FC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:42.543{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:42.543{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=2843536653B45F01FE4813A934AC9BEAA0496188EB68F57D9DADDC7B70713922falsetrue 10341000x8000000000000000847649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.995{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 23542300x8000000000000000847648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.993{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-072SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0falsetrue 11241100x8000000000000000847647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.991{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\tmp\respondent-20221130082953-0722022-11-30 09:44:43.991 10341000x8000000000000000847646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.991{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 11241100x8000000000000000847645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.989{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\tmp\surveyor-20221130082951-0732022-11-30 09:44:43.989 10341000x8000000000000000847644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.988{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.985{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.982{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.979{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.978{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.975{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.974{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 11241100x8000000000000000847637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.626{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.626{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=0A7DACFC1C3B3CC6698F89F62C930A426212062191A2C895DBF56B041A5BA3BDfalsetrue 10341000x8000000000000000395733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.644{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.641{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.640{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.638{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.637{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.634{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.634{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.632{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.631{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.628{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.626{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.622{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.620{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.614{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.608{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.606{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.596{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.590{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.584{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.577{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.572{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.545{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.539{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.532{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.526{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.517{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.510{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.502{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000395705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:43.500{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000847635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.467{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.466{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.059{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.058{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.058{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.044{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000847711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.747{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.747{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=1A8258B24E1BD63C8C741EE61511CDC8F3DD2CA55EC40D004A389D072B3E7A66falsetrue 23542300x8000000000000000395734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:44.332{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35ECB26A09B422B6A1B1C818BB886B1F,SHA256=AAF441AA5EAF79B92B3E136CEC0DC7E14167871C8BA0D4E44D79CAA4388FBDB6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000847709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.513{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.513{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B445D3A5E7B214D7D13912D1B530C7D270E5B4A0C7972C7ACB017730823C52DFfalsetrue 10341000x8000000000000000847707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8502-000000009802}2056C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.169{8A63456F-1471-6387-0D00-000000009802}908932C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8502-000000009802}2056C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.082{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.079{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.078{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.078{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.076{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.062{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.049{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.018{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.015{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8902-000000009802}5008C:\Windows\system32\taskhostw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.010{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.007{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.004{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8502-000000009802}2056C:\Windows\System32\RuntimeBroker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 10341000x8000000000000000847650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:44.000{8A63456F-2424-6387-9602-000000009802}4784620C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A3D0) 11241100x8000000000000000847752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.990{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.990{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B5B1D42DEE309E3BBFFAB10F66EF5DA7C907EFCCE15E541D84C381E3CAE42DE4falsetrue 23542300x8000000000000000395736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:45.455{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0B4B7A7AA15B014FC5A671E3D80CF1,SHA256=6DC17FBB175982C395A73DB6CA4696F20059E7D46448F0D13702005DD3E4953D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:40.857{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50592-false10.0.1.12-8000- 354300x8000000000000000847750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:43.546{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54239-false10.0.1.12-8000- 10341000x8000000000000000847749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.375{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.375{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.375{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000847746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.375{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.375{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.375{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.375{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.375{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.375{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.375{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.375{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.375{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000847737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.360{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg.encSHA256=3BF918C3A84E20846C6B798C7EE350E3867D91EB53FA8DCB32BC2836F17A86DFfalsetrue 10341000x8000000000000000847736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.360{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.360{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.344{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.344{8A63456F-1471-6387-1600-000000009802}12801452C:\Windows\system32\svchost.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.344{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.329{8A63456F-2414-6387-7E02-000000009802}43284280C:\Windows\system32\csrss.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.329{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.329{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.329{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+4158d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000847727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.332{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighSHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000847726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.329{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.329{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.329{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.329{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.329{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.329{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.313{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.313{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.313{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.313{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.313{8A63456F-2418-6387-9102-000000009802}21205476C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.313{8A63456F-2418-6387-9102-000000009802}21205476C:\Windows\Explorer.EXE{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.266{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.266{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000847712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.001{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-073SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 23542300x8000000000000000395738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:46.432{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC2B2226548B1631F8DEFFF04F08B10,SHA256=449B1AA7A655D2C5F6A7F1297AE8D0BDB81A115C796CC839FEA4602E77F047BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.347{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260E-6387-F902-000000009802}5756C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.331{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-260E-6387-F902-000000009802}5756C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.331{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260E-6387-F902-000000009802}5756C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd52|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000847784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.341{8A63456F-260E-6387-F902-000000009802}5756C:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{133EAC4F-5891-4D04-BADA-D84870380A80}C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000847783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.331{8A63456F-1471-6387-1600-000000009802}12802036C:\Windows\system32\svchost.exe{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\system32\taskhostw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\UBPM.dll+12d2a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.331{8A63456F-1471-6387-1600-000000009802}12802036C:\Windows\system32\svchost.exe{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\system32\taskhostw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\UBPM.dll+12d2a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.315{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\system32\taskhostw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.315{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\system32\taskhostw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.315{8A63456F-1471-6387-1600-000000009802}12801452C:\Windows\system32\svchost.exe{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\system32\taskhostw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2b70|c:\windows\system32\UBPM.dll+e6fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000847778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.321{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\System32\taskhostw.exe10.0.14393.3297 (rs1_release_1.191001-1045)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exetaskhostw.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=1876990EEBC99F0B0F66BEC435FE2810E450532E23E22427DA31A09802394461{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs 10341000x8000000000000000847777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.315{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.315{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000847775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.237{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-11-17 09:52:17.849 23542300x8000000000000000847774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.237{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecuritySHA256=DF9A26BEF0291E086B58A5FFBCCA6B7DE55F4BC967A170DFAC812DF3A90C680Bfalsetrue 10341000x8000000000000000847773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.064{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.064{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.064{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.060{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.060{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.060{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.055{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.055{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.054{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.054{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.052{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.052{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.052{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.052{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.052{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.050{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.050{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.050{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.050{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.047{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:46.047{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000395737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:46.225{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000395739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:47.626{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A92B2186CB03EFDAF0463179BA169A7,SHA256=BD1FB2E78237FFFEA2F0D6C935860997E0F5C2FE70ED7E9D5C2971EE8D4BD5BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000847823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.938{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.938{8A63456F-260F-6387-FB02-000000009802}3948536C:\Windows\system32\csrss.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.828{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.828{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.578{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.578{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.578{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.563{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.563{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FB02-000000009802}3948C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000847814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.563{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000847813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.563{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 534500x8000000000000000847812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.563{8A63456F-260F-6387-FA02-000000009802}5776C:\Windows\System32\smss.exe 10341000x8000000000000000847811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.563{8A63456F-260F-6387-FA02-000000009802}57763784C:\Windows\System32\smss.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000847810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.571{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e73SystemSHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9{8A63456F-260F-6387-FA02-000000009802}5776C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000118 0000007c 10341000x8000000000000000847809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.563{8A63456F-146C-6387-0200-000000009802}324496C:\Windows\System32\smss.exe{8A63456F-260F-6387-FB02-000000009802}3948C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6ce4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.563{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FB02-000000009802}3948C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9bf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.547{8A63456F-260F-6387-FA02-000000009802}57763784C:\Windows\System32\smss.exe{8A63456F-260F-6387-FB02-000000009802}3948C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000847806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.551{8A63456F-260F-6387-FB02-000000009802}3948C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e73SystemSHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E{8A63456F-260F-6387-FA02-000000009802}5776C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000118 0000007c 354300x8000000000000000847805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:45.233{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.187.221.34-63177-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local3389ms-wbt-server 10341000x8000000000000000847804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.531{8A63456F-146C-6387-0200-000000009802}324496C:\Windows\System32\smss.exe{8A63456F-260F-6387-FA02-000000009802}5776C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6ce4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.531{8A63456F-146C-6387-0200-000000009802}3244852C:\Windows\System32\smss.exe{8A63456F-260F-6387-FA02-000000009802}5776C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000847802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.543{8A63456F-260F-6387-FA02-000000009802}5776C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 00000118 0000007c C:\Windows\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e73SystemSHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x8000000000000000847801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.438{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260E-6387-F902-000000009802}5756C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000847800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.438{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260E-6387-F902-000000009802}5756C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000847799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.437{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260E-6387-F902-000000009802}5756C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000847798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.437{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\system32\taskhostw.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000847797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.437{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\system32\taskhostw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000847796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.437{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\system32\taskhostw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000847795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.435{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000847794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.435{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000847793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.435{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 11241100x8000000000000000847792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.420{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.420{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=CA9922A1953871755313243BDBB3CF0EAC03ACA53D9A1262B5269873989FC827falsetrue 10341000x8000000000000000847790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.058{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\system32\taskhostw.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.058{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\system32\taskhostw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.058{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\system32\taskhostw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000395740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:48.716{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C202B78E05CD1923C30D8C79FA8D6E,SHA256=784A417BB25983659B71795BE2154E54EBC7315059E74B74B16115C9AF160CB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000848330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.989{8A63456F-1471-6387-1600-000000009802}12801140C:\Windows\system32\svchost.exe{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.988{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.983{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.977{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000848326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.975{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000848325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.971{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd52|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000848324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.971{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighSHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000848323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.957{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.951{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.935{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.935{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000848319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.914{8A63456F-2418-6387-9102-000000009802}2120ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgSHA256=3182F4EFAFE698A4057171F7BDA0623EDC670323ECBB98F251712C201DE559B2falsetrue 10341000x8000000000000000848318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.907{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-260E-6387-F902-000000009802}5756C:\Windows\system32\DllHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.907{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\system32\taskhostw.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.907{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.907{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.907{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.907{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.907{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.907{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.907{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.907{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.907{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.907{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.906{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8902-000000009802}5008C:\Windows\system32\taskhostw.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.906{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.906{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.906{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8502-000000009802}2056C:\Windows\System32\RuntimeBroker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.906{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.906{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.906{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.906{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.906{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.906{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.906{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.905{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.905{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.905{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.905{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.905{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.905{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.905{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.905{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.905{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.905{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.905{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.905{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.905{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.905{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.904{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.904{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.904{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.904{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.904{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.904{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.904{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.904{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.904{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.904{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-260E-6387-F902-000000009802}5756C:\Windows\system32\DllHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\system32\taskhostw.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2424-6387-9602-000000009802}4784C:\Program Files\Aurora-Agent\aurora-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.903{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8902-000000009802}5008C:\Windows\system32\taskhostw.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8502-000000009802}2056C:\Windows\System32\RuntimeBroker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.902{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.901{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.900{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79e4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000848212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.899{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\System32\winlogon.exe 10341000x8000000000000000848211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.894{8A63456F-1471-6387-1600-000000009802}12801140C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+2870|c:\windows\system32\themeservice.dll+26d8|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.891{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.890{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.889{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.889{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.889{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.889{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000848204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.887{8A63456F-2610-6387-FE02-000000009802}5876C:\Windows\System32\dwm.exe 10341000x8000000000000000848203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.879{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.878{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.878{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.878{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.877{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.877{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.871{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.870{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.869{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.869{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.869{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.869{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000848191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.863{8A63456F-2610-6387-0003-000000009802}6120C:\Windows\System32\AtBroker.exe 10341000x8000000000000000848190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.863{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.862{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.861{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.861{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.861{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.861{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000848184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.855{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\System32\LogonUI.exe 10341000x8000000000000000848183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.855{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.854{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.854{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.853{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.853{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.852{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.852{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.838{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.838{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.837{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.837{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.837{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.837{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.836{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.836{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.835{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-2610-6387-0003-000000009802}6120C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000848167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.834{8A63456F-2414-6387-7F02-000000009802}41724728C:\Windows\system32\winlogon.exe{8A63456F-2610-6387-0003-000000009802}6120C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+3b284|C:\Windows\system32\winlogon.exe+38b7a|C:\Windows\system32\winlogon.exe+44b92|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000848166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.833{8A63456F-2610-6387-0003-000000009802}6120C:\Windows\System32\AtBroker.exe10.0.14393.0 (rs1_release.160715-1616)Windows Assistive Technology ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationATBroker.exeatbroker.exeC:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighSHA256=A84417EE9D039891AF43B267896DB921A40838D8A17CC1BE29785D031E5944D4{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000848165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.829{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.828{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.827{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.827{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.827{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.827{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.826{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.822{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.821{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.821{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.820{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.820{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.820{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.803{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.803{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.802{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.802{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.801{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.801{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.800{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.800{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.800{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.799{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000848142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.799{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000848141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.795{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000848140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.795{8A63456F-2418-6387-9102-000000009802}21203148C:\Windows\Explorer.EXE{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+37c2f|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+34316|C:\Windows\System32\combase.dll+33aca|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000848139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.793{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000848138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.792{8A63456F-2610-6387-FF02-000000009802}4132C:\Windows\System32\rdpclip.exe 10341000x8000000000000000848137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.791{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000848136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.790{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg2022-11-30 09:44:48.790 10341000x8000000000000000848135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.790{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.789{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.789{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.789{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.781{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.781{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.775{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000848110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000848109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-2414-6387-7E02-000000009802}43281100C:\Windows\system32\csrss.exe{8A63456F-2610-6387-FF02-000000009802}4132C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000848099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852880C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2610-6387-FF02-000000009802}4132C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000848083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1471-6387-0F00-000000009802}3764116C:\Windows\System32\svchost.exe{8A63456F-2610-6387-FF02-000000009802}4132C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+549f2|c:\windows\system32\termsrv.dll+22ee6|c:\windows\system32\termsrv.dll+22763|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000848081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000848077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.766{8A63456F-2610-6387-FF02-000000009802}4132C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{8A63456F-2416-6387-8846-1F0000000000}0x1f46882HighSHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 10341000x8000000000000000848076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000848073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles2022-11-30 09:44:48.759 10341000x8000000000000000848072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000848040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000848038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000848037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.759{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000848034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.712{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2022-11-17 09:51:56.383 23542300x8000000000000000848033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.712{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemSHA256=1192929E6B4AF458D9B6F1D845CA88E1B92129FCF641C57B8BC518A0EA255969falsetrue 10341000x8000000000000000848032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.712{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.712{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000848030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.650{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.650{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=F5293B9A7B762FE0720257748887A246E6B2571607E5F4E67B1EABB9DF1A8324falsetrue 10341000x8000000000000000848028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.619{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.619{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.619{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.619{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.587{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000848023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-2414-6387-7E02-000000009802}43281180C:\Windows\system32\csrss.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\winsrv.DLL+7de7|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000848022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-2414-6387-7E02-000000009802}43281180C:\Windows\system32\csrss.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000848021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000848008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000848002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.541{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000848001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.509{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.509{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=A0D8263864FFC55ED405F9BF0528945E982F81B776900B980C89E72487456832falsetrue 11241100x8000000000000000847999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.494{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000847998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.494{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=AA965A90ABB80F31B979FEC64A30F31FC343CE320CC515A2C0BED68817511436falsetrue 10341000x8000000000000000847997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.416{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.416{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.369{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FE02-000000009802}5876C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.369{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FE02-000000009802}5876C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.369{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000847992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.369{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000847991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.369{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000847990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.369{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.369{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.369{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.369{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.353{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.353{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.353{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.353{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.353{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.353{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.353{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.353{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.353{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.337{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+1f148|C:\Windows\system32\lsasrv.dll+1e371|C:\Windows\system32\lsasrv.dll+1cb7e|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.337{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+1b566|C:\Windows\system32\lsasrv.dll+1cb15|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.320{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.320{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.320{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.320{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.320{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.320{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.320{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000847968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.313{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exeC:\Windows\INF\display.PNF2016-10-18 08:57:30.354 23542300x8000000000000000847967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.313{8A63456F-1471-6387-1600-000000009802}1280NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\INF\display.PNFSHA256=A6D89E8B514A2578A105237EAF691DBA639288D3F978AB116AA39FFCA48D370Afalsetrue 10341000x8000000000000000847966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.270{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.269{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.269{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.268{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.268{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.268{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.268{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.267{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.267{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.267{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.266{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.266{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.266{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.266{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.266{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.266{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.264{8A63456F-1471-6387-0F00-000000009802}3764968C:\Windows\System32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\termsrv.dll+a1327|c:\windows\system32\termsrv.dll+6aa08|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.264{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.264{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.263{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.263{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.263{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.262{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.259{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.259{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.257{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.254{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.253{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.252{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.252{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.251{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.251{8A63456F-1471-6387-0F00-000000009802}3764604C:\Windows\System32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\termsrv.dll+a1327|c:\windows\system32\termsrv.dll+6aa08|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.250{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.250{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.240{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.238{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.238{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260F-6387-FB02-000000009802}3948C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.238{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260F-6387-FB02-000000009802}3948C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.238{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.237{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.237{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260F-6387-FB02-000000009802}3948C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.237{8A63456F-1471-6387-1100-000000009802}3721588C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.235{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260F-6387-FB02-000000009802}3948C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.234{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.199{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FE02-000000009802}5876C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.199{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FE02-000000009802}5876C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.197{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000847919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.197{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000847918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.193{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.192{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.190{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FE02-000000009802}5876C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.186{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.185{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.185{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.177{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.173{8A63456F-1471-6387-0F00-000000009802}3764840C:\Windows\System32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\termsrv.dll+a1327|c:\windows\system32\termsrv.dll+6a6ed|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.173{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.173{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.172{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.171{8A63456F-1471-6387-1600-000000009802}12802036C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.171{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.171{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.170{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.170{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.170{8A63456F-1470-6387-0C00-000000009802}852988C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.170{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.170{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.169{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.168{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.168{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.166{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.165{8A63456F-1471-6387-1600-000000009802}12802036C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.158{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.157{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.155{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.155{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.153{8A63456F-1471-6387-1600-000000009802}12802036C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FE02-000000009802}5876C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.153{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FE02-000000009802}5876C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.130{8A63456F-260F-6387-FB02-000000009802}39484904C:\Windows\system32\csrss.exe{8A63456F-2610-6387-FE02-000000009802}5876C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.130{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.130{8A63456F-260F-6387-FC02-000000009802}58121988C:\Windows\system32\winlogon.exe{8A63456F-2610-6387-FE02-000000009802}5876C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000847885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.129{8A63456F-2610-6387-FE02-000000009802}5876C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-3{8A63456F-2610-6387-5D1F-2C0000000000}0x2c1f5d3SystemSHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000847884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.129{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+1f148|C:\Windows\system32\lsasrv.dll+1e371|C:\Windows\system32\lsasrv.dll+1d0ae|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.128{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+1f148|C:\Windows\system32\lsasrv.dll+1e371|C:\Windows\system32\lsasrv.dll+1cb7e|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.128{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+1b566|C:\Windows\system32\lsasrv.dll+1cb15|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000847881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.123{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exeC:\Windows\INF\termkbd.PNF2022-11-23 17:46:17.791 23542300x8000000000000000847880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.123{8A63456F-1471-6387-1600-000000009802}1280NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\INF\termkbd.PNFSHA256=DE60014665E5B8B040A680CEA631CA0B9EBCA8D5B7237B32F2BE37160D53072Cfalsetrue 10341000x8000000000000000847879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.111{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.110{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.110{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.110{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.108{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.108{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.106{8A63456F-2610-6387-FD02-000000009802}51085388C:\Windows\system32\LogonUI.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.098{8A63456F-1471-6387-1600-000000009802}12802036C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.098{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.095{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.095{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.095{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.093{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.093{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.093{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.092{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.092{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.092{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.092{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.088{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.088{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.088{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.088{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.088{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.088{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.086{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.086{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146C-6387-0200-000000009802}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 11241100x8000000000000000847852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.078{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2022-11-17 09:51:50.314 23542300x8000000000000000847851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.078{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationSHA256=032C8928C82BA57048B78CDBA88D6EB5ABA23850B5EC051341EDCA14B3C2DF5Efalsetrue 10341000x8000000000000000847850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.075{8A63456F-260F-6387-FB02-000000009802}39486076C:\Windows\system32\csrss.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000847849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.074{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.074{8A63456F-260F-6387-FC02-000000009802}58124920C:\Windows\system32\winlogon.exe{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000847847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.074{8A63456F-2610-6387-FD02-000000009802}5108C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a17855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e73SystemSHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000847846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.074{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.074{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26c37|C:\Windows\system32\lsasrv.dll+27dc9|C:\Windows\system32\lsasrv.dll+26ab5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.073{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+269fd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.071{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.071{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.070{8A63456F-1471-6387-1600-000000009802}12802036C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.065{8A63456F-1471-6387-1600-000000009802}12802036C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.064{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.063{8A63456F-1471-6387-1600-000000009802}12802036C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.063{8A63456F-1471-6387-1600-000000009802}12801336C:\Windows\system32\svchost.exe{8A63456F-260F-6387-FC02-000000009802}5812C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000847836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.063{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exeC:\Windows\INF\machine.PNF2018-03-24 02:25:04.241 23542300x8000000000000000847835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.062{8A63456F-1471-6387-1600-000000009802}1280NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\INF\machine.PNFSHA256=D57EECB33E39297D4F5A01476F1EB11B296DC8F45A17A0225DFCCCCA099DDB78falsetrue 10341000x8000000000000000847834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.060{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260E-6387-F902-000000009802}5756C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.059{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260E-6387-F902-000000009802}5756C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.059{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260E-6387-F902-000000009802}5756C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000847831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.021{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.021{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.021{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.021{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.021{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.021{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.021{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.021{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.898{E56ECBBF-2611-6387-B002-000000009902}39442728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000395760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.882{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.867{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=91E80C72B5B19AAF9F5DA16796AAE91B,SHA256=7A430AC3503F805977F4EE190CFC2B80E3C8D58EAAE17CFB29F5805FC0521629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.815{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2EAD962190AA5A579746C89CD99419,SHA256=9405144812D9C1E70F5F764D352F36D72BE42AACA047F149E63DD3F15FC37858,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.806{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2611-6387-B002-000000009902}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000395756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.806{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2611-6387-B002-000000009902}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000395755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.806{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2611-6387-B002-000000009902}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000395754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.728{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2611-6387-B002-000000009902}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.728{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.728{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.728{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.728{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.728{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.728{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.728{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.728{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.728{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.728{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-2611-6387-B002-000000009902}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.728{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2611-6387-B002-000000009902}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:49.729{E56ECBBF-2611-6387-B002-000000009902}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000848470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.988{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.988{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B2DB4C30F72F0CD8E775965B044E9DB9AECC2DB67638AEA91CB0ECB4DC18A89Efalsetrue 10341000x8000000000000000848468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.957{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.910{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.863{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.863{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.863{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.754{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.738{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.738{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.738{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.738{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.738{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.738{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.738{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.723{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.723{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.723{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.676{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.644{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 11241100x8000000000000000848450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.357{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.357{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=3793AF24A315E783757DFA579BA58140B8F4783D6F0F08919E1BC45E305D54B5falsetrue 10341000x8000000000000000848448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.248{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.248{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.248{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.248{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.248{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.248{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000395741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:45.999{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50593-false10.0.1.12-8000- 10341000x8000000000000000848435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.230{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.229{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.229{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.225{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.224{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.224{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.224{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.223{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.223{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.218{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.217{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.216{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.216{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.216{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.216{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.211{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.208{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.205{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.205{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.205{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.204{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.204{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.204{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 11241100x8000000000000000848404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.204{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.203{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=E17EFE8C0F9777A7DE1A6B9EC83935A6734438DB8C7660A3144E8B26A57232BBfalsetrue 10341000x8000000000000000848402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.194{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.194{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.193{8A63456F-1470-6387-0C00-000000009802}8522332C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.152{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.148{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.148{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.148{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.147{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.139{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000848393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.139{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd52|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000848392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.136{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000848391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.121{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.113{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.113{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.113{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0700-000000009802}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.111{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.111{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.111{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.109{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.109{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.109{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.104{8A63456F-146E-6387-0A00-000000009802}6365300C:\Windows\system32\services.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.099{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000848379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.099{8A63456F-146E-6387-0A00-000000009802}636368C:\Windows\system32\services.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000848378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.097{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000848377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.096{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.096{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7E02-000000009802}4328C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.094{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11abe|C:\Windows\system32\lsasrv.dll+1f148|C:\Windows\system32\lsasrv.dll+1e371|C:\Windows\system32\lsasrv.dll+1cb7e|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.094{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.094{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.094{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-146E-6387-0A00-000000009802}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.084{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.084{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.083{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.083{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.083{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.083{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.077{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.077{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.076{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.076{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.076{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.076{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.071{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.070{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.070{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.070{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.069{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.069{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000848353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.066{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.066{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=375218A012C52003C1FFE0BA3B6035B6BCF35DCB01540A03AD9271CA26B502B3falsetrue 10341000x8000000000000000848351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.062{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.061{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.060{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.060{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.060{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.060{8A63456F-1470-6387-0C00-000000009802}8524792C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000848345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.047{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.046{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=4BAF7D8ABD61162C935743304E1AA94187AF02F890B17F34FB992291BC50EC12falsetrue 10341000x8000000000000000848343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.019{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.018{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+626ce|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000848341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.018{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6267d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000848340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.017{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.017{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.017{8A63456F-1470-6387-0C00-000000009802}8524496C:\Windows\system32\svchost.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.017{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.016{8A63456F-1470-6387-0C00-000000009802}8525288C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000848335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.013{8A63456F-260F-6387-FB02-000000009802}3948C:\Windows\System32\csrss.exe 10341000x8000000000000000848334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.008{8A63456F-2418-6387-9102-000000009802}21204896C:\Windows\Explorer.EXE{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000848333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.008{8A63456F-2418-6387-9102-000000009802}2120652C:\Windows\Explorer.EXE{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000848332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.003{8A63456F-2418-6387-9102-000000009802}2120652C:\Windows\Explorer.EXE{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000848331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.003{8A63456F-2418-6387-9102-000000009802}2120652C:\Windows\Explorer.EXE{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380ab|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x8000000000000000395789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.983{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2612-6387-B202-000000009902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.983{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.983{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.983{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.983{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.983{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.983{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.983{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.983{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.983{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.983{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-2612-6387-B202-000000009902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.983{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2612-6387-B202-000000009902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000395777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.983{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A28F2C80C2063B1E9CC80FC9EF764F40,SHA256=A7378DF3723CCDA8169EC0A245CE045D25DBD479D4EC7C8BD75B4CDFF5EEF7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.983{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA806D6A9A414FE8CEA1AD3F9234D3E,SHA256=2D436D269300AA101B3ECD54B05FBDA1AC4FE4B9107B65947D1CE824E7857C74,IMPHASH=00000000000000000000000000000000falsetrue 154100x8000000000000000395775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.986{E56ECBBF-2612-6387-B202-000000009902}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000848494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.579{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000848493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.578{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000848492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.578{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000848491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.577{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000848490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.577{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000848489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.577{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000848488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.576{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000848487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.576{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 10341000x8000000000000000848486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.576{8A63456F-2424-6387-9602-000000009802}47843552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438610) 354300x8000000000000000848485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:48.663{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54241-false10.0.1.12-8000- 354300x8000000000000000848484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.972{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54240-false20.83.81.164-443https 354300x8000000000000000848483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:47.899{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53954- 11241100x8000000000000000848482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.197{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.197{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=0EE4958006CCFCA76FA757C811916A6AEE2CC33DDDFD6E7A0A4E54518DEFA7B2falsetrue 10341000x8000000000000000848480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.130{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.130{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.130{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.125{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.125{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.125{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.116{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.116{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000848472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:50.116{8A63456F-2424-6387-9602-000000009802}47843812C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000395774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.402{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2612-6387-B102-000000009902}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.402{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.402{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.402{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.402{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.402{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.402{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.402{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.402{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.402{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.402{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2612-6387-B102-000000009902}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.402{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2612-6387-B102-000000009902}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:50.403{E56ECBBF-2612-6387-B102-000000009902}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000848471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:49.988{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:51.506{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 11241100x8000000000000000848496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:51.192{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:51.191{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=7C8DB922F5B3018C6564A8F60CEAC3C22F21884FFD0C4349AE1B21222F5C0CACfalsetrue 354300x8000000000000000395790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:48.630{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50594-false10.0.1.12-8089- 11241100x8000000000000000848499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:52.289{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:52.289{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=74DE8109CE48149305FC3A2C32CDA136FCB401BDF7F3A60E8DD09B6B678719A6falsetrue 23542300x8000000000000000395792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:52.393{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E43B62C132EED9CEFE30FC617B5765C7,SHA256=4E1004C04C1BCE9C8640637274AAF9BC4FA95849BFE48CB3EC201A874048BC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:52.015{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F07D5AE88E7AFCDF5221BB51F2F537A,SHA256=478C526977E83764B23B84A918D928269D0E50B6B18841296E9E675F4380BDBB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000848503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:53.376{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:53.376{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=05FBA9E96790A355028DB9C30D732E4A3C6B125359A678546DEDA6F09C35AF3Dfalsetrue 10341000x8000000000000000395807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:53.653{E56ECBBF-2615-6387-B302-000000009902}31401720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:53.497{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2615-6387-B302-000000009902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:53.497{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:53.497{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:53.497{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:53.497{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:53.497{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:53.497{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:53.497{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:53.497{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:53.497{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:53.497{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-2615-6387-B302-000000009902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:53.497{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2615-6387-B302-000000009902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:53.498{E56ECBBF-2615-6387-B302-000000009902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:53.106{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722BC4117733A96B7D0A574B050C710E,SHA256=017D8C15D24C2B31C8B0FA58F7D2D01C0E3A93A8DEFBCCB7674C34ED3FE18FCB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000848501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:53.043{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-11-17 09:52:52.240 23542300x8000000000000000848500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:53.043{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlSHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894falsetrue 534500x8000000000000000848509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:54.552{8A63456F-260D-6387-F702-000000009802}5036C:\Windows\System32\TSTheme.exe 11241100x8000000000000000848508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:54.458{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:54.458{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=D88BEED20942978BFD34C905D39DF1FCEC38682BBA4E37D84162E62DA7AFA386falsetrue 10341000x8000000000000000395837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.912{E56ECBBF-2616-6387-B502-000000009902}16841320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.709{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2616-6387-B502-000000009902}1684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.709{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.709{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.709{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.709{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.709{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.709{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.709{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.709{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.709{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.709{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2616-6387-B502-000000009902}1684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.709{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2616-6387-B502-000000009902}1684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.710{E56ECBBF-2616-6387-B502-000000009902}1684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000395823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:51.869{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50595-false10.0.1.12-8000- 10341000x8000000000000000395822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.350{E56ECBBF-2616-6387-B402-000000009902}31601704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000395821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.194{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C3268D14C5EC1D8ECF532CED9A0053,SHA256=BD3A162DB7944BFD2F2A13667DFC6BB98F1C87D6BD9E149E9F19055C07F00871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.178{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2616-6387-B402-000000009902}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.178{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.178{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.178{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.178{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.178{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.178{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.178{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.178{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.178{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.178{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-2616-6387-B402-000000009902}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.178{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2616-6387-B402-000000009902}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:54.179{E56ECBBF-2616-6387-B402-000000009902}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000848506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:54.143{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg2022-11-30 09:44:54.143 11241100x8000000000000000848505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:54.143{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles2022-11-30 09:44:54.143 534500x8000000000000000848504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:54.013{8A63456F-2610-6387-0103-000000009802}5636C:\Windows\System32\dllhost.exe 354300x8000000000000000848513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:53.456{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54243-false169.254.169.254-80http 354300x8000000000000000848512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:52.470{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54242-false10.0.1.12-8089- 11241100x8000000000000000848511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:55.552{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:55.552{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=E6FB5946AF9028AD81DAD2C7E7E5D688F3F583D9C136CB89C62B1B62F86860DFfalsetrue 10341000x8000000000000000395851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:55.769{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2617-6387-B602-000000009902}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:55.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:55.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:55.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:55.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:55.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:55.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:55.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:55.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:55.769{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:55.769{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-2617-6387-B602-000000009902}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000395840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:55.769{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2617-6387-B602-000000009902}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000395839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:55.769{E56ECBBF-2617-6387-B602-000000009902}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:55.299{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B50E569793EDDF3EB2F769E27A9C72B,SHA256=1E270BCDA0B9B0D96FBC21A64445E942338E597C2BAE87C644531CB81088E73D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000848515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:56.653{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:56.653{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=1CEC1D2386EEB6DD1EAC68B5267A544F6E9691FCEC6879447876381938D6963Efalsetrue 23542300x8000000000000000395852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:56.386{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D7A79C98698594BB144835ADAE02CA,SHA256=650C265D128C848E4B354F5B8ADC9D00BB109CA59664676B099029B27CEC6656,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000848518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:57.758{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:57.758{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=723501D27021DFC8308BC3D27537DDE3570B0A047F67290E0B7ABDE27E373078falsetrue 23542300x8000000000000000395853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:57.473{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6AD03C921415872E594676987BA530,SHA256=3FB80855A90EE4074D4EE67CB2C2EB55DFBB94E68A3F270B8156239BE411E43F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000848516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:54.551{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54244-false10.0.1.12-8000- 11241100x8000000000000000848522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:58.857{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:58.857{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B09509BB7D028F4C301497533265BFFA0B6B1D31C60175031B29CAB6F5B7C83Dfalsetrue 23542300x8000000000000000395854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:58.564{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756627B2C4EA9240D86DAFE83700A29A,SHA256=2637A5D46D5EC7473CEEE3513622625108A4EE4F78BF62D2ED5BE0496F132F60,IMPHASH=00000000000000000000000000000000falsetrue 924900x8000000000000000848520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:58.576{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe\Device\Harddisk0\DR0 924900x8000000000000000848519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:58.576{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe\Device\HarddiskVolume1 11241100x8000000000000000848524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:59.943{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:59.943{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=051B9A33565025A4A9A73BDC4B1E5A46A0BAD410DC9BB5444982AE62162FB3FDfalsetrue 23542300x8000000000000000395855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:59.652{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC23A4B72E0B7488F044F60A5517A910,SHA256=842F287330A650244C5D041BAFE56285654794C4C83CC3F75D7F23859AD9B842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000848550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.999{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=F4488CC48F772A9BF185770F97FF5DE248FF7A4F5FD93F52117ABCA5C1C3D823falsetrue 354300x8000000000000000395857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:44:56.921{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50596-false10.0.1.12-8000- 23542300x8000000000000000395856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:00.740{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B06AC84643531EF87B55E0145CA460A,SHA256=789B3B7B037DA8A01485C422C10066AC271766074D1E65A73CE9B917BB99FECD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000848549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.787{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.781{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.773{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.770{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.761{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.759{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.757{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.750{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.743{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.739{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.737{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.735{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.692{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.682{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.650{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.634{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.625{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.616{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.606{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.587{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.578{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.565{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.536{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.398{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.392{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 23542300x8000000000000000395858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:01.818{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D051B2E89DE93984021676879C2BF5,SHA256=3A1D4560206646F1583D12C30FD24C1D6056E347B55E7E099231266CD11C05CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000848553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:01.556{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:01.108{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 11241100x8000000000000000848551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:00.999{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000395859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:02.894{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DA767F50A3C0F316FD0742FA8EFE8D,SHA256=3CC350F401D402C011EA4DF9FC6E2F35B97AA0236550D3056D38805A3D5FD3E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000848556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:44:59.685{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54245-false10.0.1.12-8000- 11241100x8000000000000000848555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:02.054{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:02.054{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=901274E689A214C1DE0B2CE92380BC39B75F643B45DD1DDEEA9AF36F709D3B36falsetrue 10341000x8000000000000000848561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:03.601{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:03.600{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 11241100x8000000000000000848559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:03.600{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-11-30 09:45:03.600 11241100x8000000000000000848558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:03.158{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:03.158{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=F0D9596398064CA49D59E91E250988CA9B1387BE0B0C371D558F6E8D999AEF8Ffalsetrue 10341000x8000000000000000395888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.651{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.648{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.646{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.643{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.643{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.640{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.639{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.638{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.635{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.632{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.628{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.618{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.614{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.600{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.592{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.588{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.577{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.570{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.564{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.553{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.548{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.518{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.513{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.507{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.501{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.495{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.485{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.478{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000395860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:03.475{E56ECBBF-146F-6387-1E00-000000009902}20202448C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x8000000000000000848593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.906{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2620-6387-0403-000000009802}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.906{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2620-6387-0403-000000009802}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000848591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.906{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2620-6387-0403-000000009802}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000848590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.908{8A63456F-2620-6387-0403-000000009802}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000848589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.255{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.255{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=0655B4A3F29661CE1233663F118757776B1DC530A6D781258F8759A5066B7B79falsetrue 10341000x8000000000000000848587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.205{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.205{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.200{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260E-6387-F902-000000009802}5756C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.200{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\system32\taskhostw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.200{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-EE02-000000009802}2608C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.197{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-25B1-6387-ED02-000000009802}5588C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.197{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D102-000000009802}5180C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.196{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2550-6387-D002-000000009802}3300C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.193{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-245D-6387-AE02-000000009802}5168C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.182{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-241A-6387-9402-000000009802}296C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.173{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2419-6387-9302-000000009802}1072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 23542300x8000000000000000395889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:04.242{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62F66DC4426BF467C7AE5CDC7F508BA,SHA256=4F612B2C71DD89FF1F3625CCBE8A33282B80FDE40CD904F35F7BAC285B562A7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000848576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.149{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2418-6387-9102-000000009802}2120C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.146{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8902-000000009802}5008C:\Windows\system32\taskhostw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.143{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8702-000000009802}4400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.140{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8602-000000009802}1848C:\Windows\system32\sihost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.138{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8502-000000009802}2056C:\Windows\System32\RuntimeBroker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.135{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2417-6387-8402-000000009802}4636C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.130{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2415-6387-8102-000000009802}4652C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.127{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2414-6387-7F02-000000009802}4172C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.125{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.123{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.120{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.118{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.117{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.114{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 10341000x8000000000000000848562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:04.112{8A63456F-2424-6387-9602-000000009802}47845496C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000190DE3D0) 23542300x8000000000000000395890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:05.295{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A7D9E5D556DBE2CC949F778AB252BB,SHA256=917876172CB631A69C5A479E0F08A79887A1EF920247FFE51BB13ACB8BCFB8DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000848607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.875{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000848606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.844{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.2.regtrans-ms2022-11-30 09:45:05.844 11241100x8000000000000000848605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.844{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2022-11-17 09:51:56.383 23542300x8000000000000000848604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.844{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemSHA256=FF098CCD26DDB92B50682485E4FB15F4F3A3ADF15090947DF37427BC822CA39Afalsetrue 11241100x8000000000000000848603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.828{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.1.regtrans-ms2022-11-30 09:45:05.828 11241100x8000000000000000848602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.828{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.0.regtrans-ms2022-11-30 09:45:05.828 11241100x8000000000000000848601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.812{8A63456F-2611-6387-0303-000000009802}5604C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.blf2022-11-30 09:45:05.812 10341000x8000000000000000848600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.765{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2621-6387-0503-000000009802}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.765{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2621-6387-0503-000000009802}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000848598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.765{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2621-6387-0503-000000009802}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000848597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.766{8A63456F-2621-6387-0503-000000009802}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000848596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.269{8A63456F-2620-6387-0403-000000009802}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 11241100x8000000000000000848595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.253{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.253{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=0544798E297182FCDF534DE97B160991B6E7563B3165B66BAE8CE1A554640A8Dfalsetrue 23542300x8000000000000000395892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:06.387{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC150BFE770FA4F665C749F4BEFED311,SHA256=3946CED522C8A2AF408CA107D442420ADB3159ACF2A109AC0514BFEECC82640F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000848817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.994{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.992{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.990{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.987{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.985{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.982{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.980{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.978{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.975{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.973{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.971{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.969{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.967{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.964{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.962{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.960{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.957{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.955{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.934{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.934{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.934{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.934{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.934{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.917{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.917{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.917{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.917{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.917{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.917{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.917{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.902{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.902{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.902{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.902{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.902{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.902{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.886{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 11241100x8000000000000000848780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.886{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.886{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=09B1E646EA95BAAC08587B4E87AD6A001B1A7508EDF818F6F02CF2C56CB08AEEfalsetrue 10341000x8000000000000000848778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.870{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.870{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.870{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.855{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.855{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.839{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.839{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.839{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.839{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.839{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.839{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.839{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.823{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.823{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.823{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.823{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.823{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.823{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.792{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.792{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.792{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.792{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.792{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.792{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 11241100x8000000000000000848754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.792{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.792{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=7F605A788370F7C9DF7250D2C064A7EC0A2C40A7DABCCC4B4CAE54024CBE4B66falsetrue 10341000x8000000000000000848752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.777{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.777{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.761{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.761{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.761{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.745{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.745{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.730{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.730{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.714{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.714{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.714{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.714{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.683{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.667{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.667{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.652{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.652{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.652{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.652{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 11241100x8000000000000000848732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.652{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.652{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=8301F5A4F257060B6376F6091920221E723875F04011B1A662F960003E802E6Afalsetrue 10341000x8000000000000000848730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.652{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.636{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.636{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.636{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.636{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.636{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.620{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.620{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.620{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.620{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.605{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.605{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.589{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.589{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.589{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.589{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.589{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.589{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.573{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.558{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.542{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.542{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 534500x8000000000000000848708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.527{8A63456F-2622-6387-0603-000000009802}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 10341000x8000000000000000848707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.511{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.511{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 11241100x8000000000000000848705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.511{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.511{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=A72336916E988205AA343C17142B87B784A70F41809FE01D5CE7B485607C57A8falsetrue 10341000x8000000000000000848703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.511{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.495{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.495{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.495{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.495{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.495{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.480{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.480{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.480{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.480{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.480{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.464{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.464{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.464{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.449{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.449{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.449{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.433{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.417{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.417{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.417{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.417{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.417{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.402{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 354300x8000000000000000395891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:02.922{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50597-false10.0.1.12-8000- 10341000x8000000000000000848679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.384{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.382{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.375{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.369{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.365{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2622-6387-0603-000000009802}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.356{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.355{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2622-6387-0603-000000009802}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000848672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.355{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2622-6387-0603-000000009802}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000848671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.355{8A63456F-2622-6387-0603-000000009802}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000848670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.354{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.354{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=DC019939D88CA53F8A68EF65D4797F94DD3E8B50650DCEEC7921B6E53044D26Afalsetrue 10341000x8000000000000000848668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.351{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.346{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.316{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.316{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.316{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.301{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.301{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.285{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.285{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.285{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.269{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.269{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.254{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.254{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.254{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.254{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.254{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.254{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.238{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.238{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.238{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.222{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.222{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.222{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.222{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.207{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.207{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.207{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.191{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.191{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.191{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.191{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.176{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.176{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.176{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.160{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.160{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.160{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.144{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.129{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.129{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.129{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.129{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.113{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.097{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.097{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.097{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.097{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.082{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.082{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.082{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.082{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.082{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.066{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.066{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.066{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.066{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 534500x8000000000000000848611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.051{8A63456F-2621-6387-0503-000000009802}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000848610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.051{8A63456F-2621-6387-0503-000000009802}46242976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000848609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.000{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-11-17 09:52:17.849 23542300x8000000000000000848608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.000{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecuritySHA256=099C8FB312AE1574E16EE1AD2D2C061A31AC9A1BE5A6C1A7BE20A4756D1A360Dfalsetrue 23542300x8000000000000000395893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:07.463{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D813B92C453CCA73A0483C407937C71E,SHA256=4CC989B845319F305CEAB66FFED2DE9AD2FF8E34D09583C1294F8089B43A0862,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000849066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.994{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.994{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.993{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.993{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.992{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.992{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.986{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.986{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.985{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.985{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.985{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.985{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.979{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.979{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.978{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.978{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.978{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.977{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.972{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.971{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.970{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.970{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.970{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.970{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.964{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.963{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.963{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.962{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.962{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.962{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.956{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.955{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.954{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.954{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.953{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.953{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.950{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000849029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.947{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000849028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.930{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.930{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.930{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.930{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.930{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.930{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.930{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.930{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.915{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000849004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.868{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000849003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.868{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=3CA930FAC000B6DA7D27DDADB7FA6BD22DB422ADA827C7AF5FD26435C53F77C3falsetrue 10341000x8000000000000000849002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.758{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.727{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.727{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.727{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.727{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.727{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.727{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.711{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.711{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.711{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.711{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.711{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.711{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.696{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.696{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.696{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.696{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.696{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.696{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.680{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.680{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.680{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.680{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.680{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.680{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.680{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.680{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.680{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.680{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.680{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.680{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.665{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.665{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.665{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.665{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.665{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.665{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.649{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.649{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.649{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.649{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.649{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.649{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.649{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.633{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.633{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.633{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.633{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.633{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.633{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.633{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.633{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.633{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.633{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.633{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.618{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.618{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.618{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.618{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.618{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.618{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.602{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.602{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.602{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.602{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.602{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.602{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000848924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.477{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2022-11-17 09:51:50.314 23542300x8000000000000000848923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.477{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationSHA256=7006936A704B7F4A834E771B7227327C597AF82E2532F507430552674564923Cfalsetrue 23542300x8000000000000000848922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.415{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logSHA256=3B2CB160E61B1A0298AF0B75AEF43CEBFA1C1D004AD57A5D79A92C9DA7C1E9BDfalsetrue 10341000x8000000000000000848921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.393{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.392{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.392{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.391{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.391{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.391{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.391{8A63456F-1470-6387-0C00-000000009802}8523428C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000848914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.367{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.367{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=7FF71709572F04389779015C045CB8B567EDC30630596CB6A10FD3EDFDDE9687falsetrue 10341000x8000000000000000848912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.319{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.303{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.303{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.303{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.303{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.303{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.287{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.287{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.287{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.272{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.272{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.272{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.272{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.272{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 11241100x8000000000000000848898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.272{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 10341000x8000000000000000848897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.272{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x8000000000000000848896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.272{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=51C5C5D560D1BF462487CB4445AD0683EC81BB18E2D282528B00A4531AF0306Efalsetrue 10341000x8000000000000000848895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.256{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.256{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.256{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.256{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.256{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.256{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.256{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.240{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.240{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.240{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.240{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.240{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.240{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.225{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.225{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.209{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.209{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.193{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.193{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.193{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.193{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.178{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.178{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.178{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.162{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.162{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.162{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.162{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.162{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.147{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.147{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.147{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.147{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.147{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.147{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.147{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.131{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.131{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.131{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.131{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 11241100x8000000000000000848855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.131{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.131{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=A29861FF081439F20564734E6AFA56DC4822050810E4A9272B5AC12B2DA77409falsetrue 10341000x8000000000000000848853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.115{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.115{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.115{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.115{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.115{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 11241100x8000000000000000848848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.115{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 10341000x8000000000000000848847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.115{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x8000000000000000848846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.115{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=35A5D8C05B1751B55BAD50584D3EA3A2DACB83C56A349D8905924E5E57FFFEB4falsetrue 10341000x8000000000000000848845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.100{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.100{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.100{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.084{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.084{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.084{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.084{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.084{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.068{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.068{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.053{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.053{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.053{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.037{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.022{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.022{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.022{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.020{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.004{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.004{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.004{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.004{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.004{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.004{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x8000000000000000848821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.002{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 11241100x8000000000000000848820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.001{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000848819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.001{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=56E55A62FAE2DCD2D7487F35B4A24664E06DD06D5719435443B18DE3ADB48C7Efalsetrue 10341000x8000000000000000848818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:06.999{8A63456F-2611-6387-0303-000000009802}56043476C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{8A63456F-2611-6387-0203-000000009802}5948C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b1fc|C:\Windows\System32\combase.dll+3aeb2|C:\Windows\System32\combase.dll+39758|C:\Windows\System32\combase.dll+3754d|C:\Windows\System32\combase.dll+36c1f|C:\Windows\System32\combase.dll+52139|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 23542300x8000000000000000395894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:08.560{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EBEAAFADC801828FFD63F96B1C4901,SHA256=39352AAF4B0AA29DADCD5E16E909171553A05C1BDAAA1F2FAAB7664EAB320D17,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000849079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:08.677{8A63456F-2624-6387-0703-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x8000000000000000849078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:08.677{8A63456F-2624-6387-0703-000000009802}50765412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000849077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:08.456{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000849076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:08.456{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=AC800C5CB2ECA56EA1FCDEFA02AB55F7D4CBF70D63A5FFD95A5C92064ADE033Efalsetrue 10341000x8000000000000000849075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:08.447{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2624-6387-0703-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:08.445{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2624-6387-0703-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000849073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:08.444{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2624-6387-0703-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000849072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:08.444{8A63456F-2624-6387-0703-000000009802}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000849071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:08.052{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000849070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:08.052{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B2391C18D3EC351CB9BDC60BCFE71225B476BA65C7721D0743D07D93111DA28Dfalsetrue 354300x8000000000000000849069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.906{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54247-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000849068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.906{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54247-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000849067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:05.570{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54246-false10.0.1.12-8000- 23542300x8000000000000000395895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:09.664{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E67BE4124A210EA2D480BFE5A9578C,SHA256=08887D7FA3C1606DBA326AF83D1DFC242C02AFEE3E68FD1209D32DF5F25E91B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000849091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:09.792{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2625-6387-0903-000000009802}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:09.792{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2625-6387-0903-000000009802}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000849089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:09.792{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2625-6387-0903-000000009802}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000849088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:09.794{8A63456F-2625-6387-0903-000000009802}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000849087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:09.542{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000849086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:09.542{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=58DC13B30F8BD6F318DA2DF1F0385629071A10FAA46B50C86EAE32E57F66345Ffalsetrue 534500x8000000000000000849085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:09.321{8A63456F-2625-6387-0803-000000009802}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 10341000x8000000000000000849084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:09.321{8A63456F-2625-6387-0803-000000009802}52124512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:09.118{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2625-6387-0803-000000009802}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:09.118{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2625-6387-0803-000000009802}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000849081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:09.118{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2625-6387-0803-000000009802}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000849080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:09.119{8A63456F-2625-6387-0803-000000009802}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:10.764{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F3ECE3AA697B71BAB5A244CA1B7B3E,SHA256=56958A0EC17A358044FA9132BCB685A843DD6D2A975241ABAF6771B07F89D11B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000849096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:10.636{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000849095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:10.636{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=70A8C39D0C33C716FA356BAE06FF2E5435FD5090E9FAB9FFABD179A1CAD17DB4falsetrue 354300x8000000000000000849094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:07.589{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54248-false20.83.81.164-443https 534500x8000000000000000849093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:10.028{8A63456F-2625-6387-0903-000000009802}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x8000000000000000849092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:10.012{8A63456F-2625-6387-0903-000000009802}3045360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000395897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:11.852{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A20AB0ABD98B4B5ACD14FEFFADBB0B3,SHA256=DC9C984E664FC1E54A5840C1F5D847C72B6DC336C4883D05E763E82126616D9B,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000849103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:11.990{8A63456F-2627-6387-0A03-000000009802}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 10341000x8000000000000000849102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:11.760{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2627-6387-0A03-000000009802}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:11.760{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2627-6387-0A03-000000009802}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000849100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:11.760{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2627-6387-0A03-000000009802}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000849099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:11.761{8A63456F-2627-6387-0A03-000000009802}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemSHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000849098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:11.745{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000849097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:11.745{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=BC219E40DAC63CD2AEF315E9F0C4487671B00AB3FD91770790FD4C4C1D5EE9CEfalsetrue 23542300x8000000000000000395898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:12.947{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82B60486EBFCC03922F30AFF42CB1E6,SHA256=54D71A5BF5D50A205243C1D005AA53E0EE3210FC0B6749A80BFA05CF6F8806E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000849110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:12.830{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-11-17 09:52:17.849 23542300x8000000000000000849109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:12.830{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecuritySHA256=9A1C13DA9A3BAF017E9355194878F0BFF2C96A08151B04D79B446CCB4902947Ffalsetrue 11241100x8000000000000000849108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:12.813{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000849107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:12.813{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=5FFF91D4B6017198F7E6EAAF1BD5C56A4BBF690C02F1C5B61A1F610FCB3090C7falsetrue 354300x8000000000000000849106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:09.861{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local61287- 354300x8000000000000000849105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:09.818{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54249-false184.85.21.78a184-85-21-78.deploy.static.akamaitechnologies.com80http 354300x8000000000000000849104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:09.791{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local56628- 11241100x8000000000000000849116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:13.907{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000849115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:13.907{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=824A0A5428FAB1FC7DABD4DEDE945C53E6658F2DAABD7CC2BB6B6808690F17B5falsetrue 354300x8000000000000000395899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:08.836{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50598-false10.0.1.12-8000- 354300x8000000000000000849114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:10.984{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54253-false184.85.21.78a184-85-21-78.deploy.static.akamaitechnologies.com80http 354300x8000000000000000849113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:10.689{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54252-false184.85.21.78a184-85-21-78.deploy.static.akamaitechnologies.com80http 354300x8000000000000000849112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:10.395{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54251-false184.85.21.78a184-85-21-78.deploy.static.akamaitechnologies.com80http 354300x8000000000000000849111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:10.122{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54250-false20.212.115.176-80http 23542300x8000000000000000395900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:14.049{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B7BDB3FA9615168D64F1D7F65A1490,SHA256=505FCC2FEA8B3D20BE1BB4C0BAEC3FDDD422E705AD7171FB2E600D0C21631325,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000849118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:11.497{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54254-false10.0.1.12-8000- 354300x8000000000000000849117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:11.481{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local63867- 23542300x8000000000000000395901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:15.158{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6D79489EEA22B9DF0138BF7CC8D14F,SHA256=7B555343EDCF3D20252C63D40EA3D0D793C583231A8B484BF207B17C0056C9A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000849122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:12.508{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62301- 354300x8000000000000000849121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:12.484{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local62301- 11241100x8000000000000000849120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:14.999{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000849119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:14.999{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=B895CCB883A665F809A4F51E7EB82E7B585BEA79AAC2EDA0616DFCBB4CAE3800falsetrue 23542300x8000000000000000395902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:16.240{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76145E05EB0C124A28E1C41F998731A3,SHA256=A1EA51A832BA991073BAD315C34EF2A7473C6A935B6C44D17A96A89D0917FD1A,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000849125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:16.317{8A63456F-260E-6387-F802-000000009802}5208C:\Windows\System32\taskhostw.exe 11241100x8000000000000000849124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:16.098{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000849123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:16.098{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=A6236F2650011E40D65973E14D60D743229FA811448456B913FA7D6C39B612E6falsetrue 23542300x8000000000000000395904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:17.334{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30A8845F210EA5E4D596C86E18785F1,SHA256=817DDF16FB97548370F194DC9D15ADA88985BD4658CBFE050AA9E679AE7B7720,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000849127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:17.192{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000849126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:17.192{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=F32BB1BA7509E9AB3F6D372C288AA245BF31422A1C25F8E73D9F548EDB8D49BAfalsetrue 354300x8000000000000000395903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:13.952{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50599-false10.0.1.12-8000- 23542300x8000000000000000395905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:18.436{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89347A44CE49FEF3E8B2DA735D0E1F18,SHA256=2E3F83B4FF04B25E0C32C033DDE541F5D77F4CDC8A07836B5942E26DC605F647,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000849129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:18.286{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000849128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:18.286{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=313B1CADD62DB4FBC7916B863E3EE05C70DE55EFDD13F147F2A42E5E03641DD4falsetrue 23542300x8000000000000000395906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:45:19.532{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7247E9E3280ABDB6FE6629BAD7B053,SHA256=094B33482F5CB39C647B30916C265982A29B8A6B85F0DB2F77DE5276CF1DDB06,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000849132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:19.371{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000849131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:19.371{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=FDA8B209B8EC3B0EF8684F73EBD7B9BDFDBAECDEADBC7E06DEA161B67F715B53falsetrue 354300x8000000000000000849130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:16.618{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54255-false10.0.1.12-8000- 10341000x8000000000000000849159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.695{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.690{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.684{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.681{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.673{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.670{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.669{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.664{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.657{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.652{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.649{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.646{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.588{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.580{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.559{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.548{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.538{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.520{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.508{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.491{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.481{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 11241100x8000000000000000849138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.463{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-11-17 09:54:29.846 23542300x8000000000000000849137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.463{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalSHA256=D83E5B68B562884F6CE9D9A117302CC69D772D54ACF584606F6EF603DA3F9531falsetrue 10341000x8000000000000000849136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.460{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.448{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.392{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190) 10341000x8000000000000000849133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:45:20.390{8A63456F-2424-6387-9602-000000009802}47841160C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398A190)